Re: NAT for dual-WAN with public and private LAN
2018-02-17 15:08 GMT+01:00 miraculli . : > I just got an second ADSL-uplink installed and now I try to reconfigure my > pf.conf to load-balance NAT over both connections. Just a reminder: NAT is not security and IPv6 should be the default. https://youtu.be/v26BAlfWBm8 Best Martin
Re: NAT for dual-WAN with public and private LAN
One addional question regarding this topic: Basically I tried to follow /faq/pf/pools.html. In the example, there is a addional rule to keep https-traffic on one single connection, which I understand as skipping load-balancing for https completely. The load-balancing itself is done with the 'round-robin' method. So I ask myself why not a) use the 'least-states' method to maybe balance more evenly? b) use with 'sticky-address' to avoid the problems with https-traffic and make use of both WAN-connections for https-traffic? Both options ('route-to least-states sticky-address') seem to work fine for me but maybe I miss something in the big picture? Thanks Thomas
Re: NAT for dual-WAN with public and private LAN
On 17 February 2018 at 23:07, Richard Procter wrote: > > > On 18/02/2018, at 8:39 AM, Richard Procter wrote: > > > Hi, > > > > I've never attempted such a setup so the following are general pointers > > which may be mistaken. > > > > On 18/02/2018, at 3:08 AM, miraculli . wrote: > > [...] > > I would attempt a simpler config first. I suspect you're following > > the advice in https://www.openbsd.org/faq/pf/pools.html - which is > > > > pass in on $int_if from $lan_net \ > >route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ > >round-robin > > > > Only once this is working attempt to use the egress group as a short-hand. > > > >> # START: here I want to block wifi-guests to have access to office-lan but > >> doesn´t seem to work too. > >> block return out from vlan64:network to vlan32:network > >> #END > > > > I would block this on the input side -- IIRC by the time the packet > > has reached the output side it has already had its source address > > rewritten by NAT. e.g. > > > > block in on $wifi_if to $office_if:network > > block in on $office_if to $wifi_if:network # probably also want this converse > > actually a simpler way to achieve this would be to preface the rules with > > block > > and then explicitly allow the traffic you want to pass, e.g. > > pass out inet > pass in on ${int_if} > > (these rules apply only to new flows; e.g. if you make an outbound > TCP connection, and the rules allow it, pf will then create a state that > allows traffic in the reverse direction through; there's no need to > specify this explicitly in the rules, and in fact the rules won't be > consulted if a matching state already exists for a packet. One way to > inspect existing states is via # systat state). > > > > >> pass in on egress inet proto icmp icmp-type $icmp_types > > > > the icmp_types are probably too restrictive. e.g. TCP relies on > > ICMP fragmentation-needed messages to implement MTU path discovery > > over IPv4. OpenBSD implements secure defaults in its own handling > > of ICMP so far as I know. e.g. it ignores ICMP redirects by default. > > > > $ sysctl net.inet.icmp.rediraccept > > net.inet.icmp.rediraccept=0 > > > > I myself am comfortable with > > > > pass inet proto icmp > > > > at the end of my pf.conf. (but I do not consider myself an > > authority on pf configuration!) > > > > > > good luck! > > > > Richard. > > Hi Richard, and misc, thanks for your advice and motivation to tinker a little bit more! I think i got it working... at least tcpdump and pftop show something is going on on both pppoe-links. Just for the record, here is my new pf.conf which is also simplified and made it more explicit. It seems to work with interface-groups like vlan, pppoe. Maybe I missunderstand what egress is meant for but anyways, I could achieve the same with pppoe table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } set block-policy drop #set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on pppoe0 from vlan:network nat-to (pppoe0) match out on pppoe1 from vlan:network nat-to (pppoe1) block in quick on pppoe from to any block return out quick on pppoe from any to block all pass out on vlan to vlan:network pass in quick on vlan from vlan:network to vlan pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)} round-robin pass out on pppoe block return in on vlan from vlan64:network to vlan32:network pass in on egress inet proto icmp all pass in on egress inet proto tcp from any to (egress) port 22 Still one thing to achieve: prefer vlan32 packets over vlan64. Thanks a lot so far Thomas
NAT for dual-WAN with public and private LAN
Hi misc, I just got an second ADSL-uplink installed and now I try to reconfigure my pf.conf to load-balance NAT over both connections. Just to be more concrete: It is a Hotel-Setup with a guest accessible public Wifi-LAN (Ubuiqity UniFi Devices) and a private LAN for Office-Devices. I use a PC-Engines APU2c4 with OpenBSD -stable (syspatched) as router which has two ADSL-modems in bridge-mode attached: * em0 -> pppoe0 (dynamic IP) * em1 -> pppoe1 (fixed IP) both connections seem to be fine: $ ifconfig pppoe pppoe0: flags=8851 mtu 1492 index 8 priority 0 llprio 3 dev: em0 state: session sid: 0x219f PADI retries: 1 PADR retries: 0 time: 708d 10:27:47 sppp: phase network authproto pap groups: pppoe egress status: active inet6 fe80::20d:b9ff:fe43:43b4%pppoe0 -> prefixlen 64 scopeid 0x8 inet 87.174.xxx.xxx --> 87.186.xxx.xxx netmask 0x pppoe1: flags=8851 mtu 1492 index 10 priority 0 llprio 3 dev: em1 state: session sid: 0x1dd7 PADI retries: 3 PADR retries: 0 time: 03:01:57 sppp: phase network authproto pap groups: pppoe status: active inet6 fe80::20d:b9ff:fe43:43b4%pppoe1 -> prefixlen 64 scopeid 0xa inet 217.86.xxx.xxx --> 217.5.xxx.xxx netmask 0x Further I created two vlans over em2, one for the public wifi (vlan64) and one for private lan (vlan32) $ cat /etc/hostname.vlan32 inet 10.10.10.1 255.255.255.0 10.10.10.255 vlan 32 vlandev em2 $ cat /etc/hostname.vlan64 inet 10.64.0.1 255.192.0.0 10.127.255.255 vlan 64 vlandev em2 My pf.conf for the single WAN-uplinke looks like this. I outlined the parts where I try to do the dual-WAN-NAT without success so far. My idea is to add pppoe1 to group egress. But even without that I loose internet-connection for all my network-clients. # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf int_if="{ vlan32 vlan64 }" ext_if="{ pppoe0 pppoe1 }" icmp_types="{ echoreq }" icmp6_types="{ echoreq }" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress from !(egress:network) to any nat-to (egress) block in quick on egress from to any block return out quick on egress from any to block all pass out quick inet pass in on $int_if inet # START: here I´m playing around to get NAT working pass in on vlan inet route-to (egress egress:network) round-robin pass in on vlan proto tcp from vlan:network to port https route-to (egress egress:network) # END # START: here I want to block wifi-guests to have access to office-lan but doesn´t seem to work too. block return out from vlan64:network to vlan32:network #END pass in on egress inet proto icmp icmp-type $icmp_types pass in on egress inet6 proto icmp6 all pass in on egress inet proto tcp from any to (egress) port 22 pass in on egress inet6 proto tcp from any to (egress) port 22 #pfctl -nf /etc/pf.conf seems to be fine too. I want to achieve three things: 1.) proper load balancing over both WAN-uplinks 2.) reject access from public-wifi (vlan64) to office-lan (vlan32) 3.) always prefer packets from vlan32 over vlan64 4.) general advice for this setup if you spot some problems I´m not aware of. ;-) Thanks in advance, I hope someone can help! best, Thomas # dmesg OpenBSD 6.2 (GENERIC.MP) #5: Fri Feb 2 23:02:19 CET 2018 r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/ GENERIC.MP real mem = 4261076992 (4063MB) avail mem = 4124921856 (3933MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries) bios0: vendor coreboot version "88a4f96" date 03/11/2016 bios0: PC Engines apu2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S2 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD GX-412TC SOC, 998.26 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fu