Dear @misc
We want to implement a transparent router.
We have some different public subnets ( /27, /28).
All public subnet comes in on one interface - "WAN".
We want to "forward" incoming traffic to an internal VLAN.
Every device in this VLAN has a public IP address.
We don't want to routing for this VLAN!
We want to filter the traffic to the VLAN - (with PF)
_We came up with the following solution for this:__
_
* em0 - public WAN interface
* em1 - filtered "WAN" interface
internal VLAN is connected here - switch port, native VLAN
* veb0 - we made a bridge (VEB) between em0 and em1
we set it up:
- link0 - it is necessary to get to the PF of the traffic
* vport0 - Public IP address
* PF have global block rule "block log all"
_hostname.veb0 _
add em0
add em1
add vport0
maxaddr 256
link1
up
_hostname.vport0 _
inet x.x.213.222 255.255.255.224
description "WAN-xxx"
-inet6
up
pf.conf
This works fine!
if I allow the traffic to the public IP address in VLAN, then it works.
This requires "link1" setting, if link0 is set, it still works, only the
traffic does not enter PF.
That's fine, it's normal operation. - https://man.openbsd.org/veb.4
But! :)
I want to NAT from local subnet(s), the traffic does not go out.
_The problem:__
_
Simple NAT rule:
pass out log on vport0 from $MGMT_LAN to !<bld> nat-to
xxx.xxx.213.222
is working, packets go to the vport interface:
13:12:47.401285 xxx.xxx.213.222 > 8.8.8.8: icmp: echo request (id:af4c
seq:1283) [icmp cksum ok] (DF) (ttl 63, id 9289, len 84)
13:12:48.425303 xxx.xxx.213.222 > 8.8.8.8: icmp: echo request (id:af4c
seq:1284) [icmp cksum ok] (DF) (ttl 63, id 9385, len 84)
But, only to the vport interface!!!
VEB bridge does not work from this direction!
The packets don't move to em0, em1.
PF not blocked this packets (pflog), no traffic in em0, em1 ...
This traffic nated to vport0, and dont move out (to em0)
if I change link1 option to link0 option on veb0.
NAT is working, but incoming public traffic is not included to PF.
How could the veb bridge be used for outgoing traffic with the link1 option?
--
Regards
Gábor Szél
------------
email:gabor.s...@wantax.eu
