Re: NAT for dual-WAN with public and private LAN

2018-02-19 Thread Martin Schröder 
2018-02-17 15:08 GMT+01:00 miraculli . :
> I just got an second ADSL-uplink installed and now I try to reconfigure my
> pf.conf to load-balance NAT over both connections.

Just a reminder: NAT is not security and IPv6 should be the default.

https://youtu.be/v26BAlfWBm8

Best
Martin

Re: NAT for dual-WAN with public and private LAN

2018-02-18 Thread Thomas Huber 
One addional question regarding this topic:

Basically I tried to follow /faq/pf/pools.html.
In the example, there is a addional rule to keep
https-traffic on one single connection, which I understand as
skipping load-balancing for https completely.
The load-balancing itself is done with the 'round-robin' method.

So I ask myself why not
a) use the 'least-states' method to maybe balance more evenly?

b) use with 'sticky-address' to avoid the problems with https-traffic
and make use of both WAN-connections for https-traffic?

Both options ('route-to  least-states sticky-address') seem to
work fine for me but maybe I miss something in the big picture?

Thanks
Thomas

Re: NAT for dual-WAN with public and private LAN

2018-02-18 Thread miraculli . 
On 17 February 2018 at 23:07, Richard Procter 
wrote:
>
>
> On 18/02/2018, at 8:39 AM, Richard Procter wrote:
>
> > Hi,
> >
> > I've never attempted such a setup so the following are general pointers
> > which may be mistaken.
> >
> > On 18/02/2018, at 3:08 AM, miraculli . wrote:
> > [...]
> > I would attempt a simpler config first. I suspect you're following
> > the advice in https://www.openbsd.org/faq/pf/pools.html - which is
> >
> > pass in on $int_if from $lan_net \
> >route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
> >round-robin
> >
> > Only once this is working attempt to use the egress group as a
short-hand.
> >
> >> # START: here I want to block wifi-guests to have access to office-lan
but
> >> doesn´t seem to work too.
> >> block return out from vlan64:network to vlan32:network
> >> #END
> >
> > I would block this on the input side -- IIRC by the time the packet
> > has reached the output side it has already had its source address
> > rewritten by NAT. e.g.
> >
> > block in on $wifi_if to $office_if:network
> > block in on $office_if to $wifi_if:network # probably also want this
converse
>
> actually a simpler way to achieve this would be to preface the rules with
>
> block
>
> and then explicitly allow the traffic you want to pass, e.g.
>
> pass out inet
> pass in on ${int_if}
>
> (these rules apply only to new flows; e.g. if you make an outbound
> TCP connection, and the rules allow it, pf will then create a state that
> allows traffic in the reverse direction through; there's no need to
> specify this explicitly in the rules, and in fact the rules won't be
> consulted if a matching state already exists for a packet. One way to
> inspect existing states is via # systat state).
>
> >
> >> pass in on egress inet proto icmp icmp-type $icmp_types
> >
> > the icmp_types are probably too restrictive. e.g. TCP relies on
> > ICMP fragmentation-needed messages to implement MTU path discovery
> > over IPv4. OpenBSD implements secure defaults in its own handling
> > of ICMP so far as I know. e.g. it ignores ICMP redirects by default.
> >
> > $ sysctl net.inet.icmp.rediraccept
> > net.inet.icmp.rediraccept=0
> >
> > I myself am comfortable with
> >
> > pass inet proto icmp
> >
> > at the end of my pf.conf. (but I do not consider myself an
> > authority on pf configuration!)
> >
> >
> > good luck!
> >
> > Richard.
> >

Hi Richard,
and misc,

thanks for your advice and motivation to tinker a little bit more!
I think i got it working... at least tcpdump and pftop show something is
going on on both pppoe-links.

Just for the record, here is my new pf.conf which is also simplified and
made it more explicit.
It seems to work with interface-groups like vlan, pppoe.
Maybe I missunderstand what egress is meant for but anyways, I could
achieve the same with pppoe


table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }
set block-policy drop
#set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on pppoe0 from vlan:network nat-to (pppoe0)
match out on pppoe1 from vlan:network nat-to (pppoe1)
block in quick on pppoe from  to any
block return out quick on pppoe from any to 
block all
pass out on vlan to vlan:network
pass in quick on vlan from vlan:network to vlan
pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
round-robin
pass out on pppoe
block return in on vlan from vlan64:network to vlan32:network
pass in on egress inet proto icmp all
pass in on egress inet proto tcp from any to (egress) port 22


Still one thing to achieve: prefer vlan32 packets over vlan64.

Thanks a lot so far
Thomas

NAT for dual-WAN with public and private LAN

2018-02-17 Thread miraculli . 
Hi misc,

I just got an second ADSL-uplink installed and now I try to reconfigure my
pf.conf to load-balance NAT over both connections.
Just to be more concrete:
It is a Hotel-Setup with a guest accessible public Wifi-LAN (Ubuiqity UniFi
Devices)
and a private LAN for Office-Devices.

I use a PC-Engines APU2c4 with OpenBSD -stable (syspatched) as router
which has two ADSL-modems in bridge-mode attached:

* em0 -> pppoe0 (dynamic IP)
* em1 -> pppoe1 (fixed IP)

both connections seem to be fine:

$ ifconfig pppoe
pppoe0: flags=8851 mtu 1492
index 8 priority 0 llprio 3
dev: em0 state: session
sid: 0x219f PADI retries: 1 PADR retries: 0 time: 708d 10:27:47
sppp: phase network authproto pap
groups: pppoe egress
status: active
inet6 fe80::20d:b9ff:fe43:43b4%pppoe0 ->  prefixlen 64 scopeid 0x8
inet 87.174.xxx.xxx --> 87.186.xxx.xxx netmask 0x
pppoe1: flags=8851 mtu 1492
index 10 priority 0 llprio 3
dev: em1 state: session
sid: 0x1dd7 PADI retries: 3 PADR retries: 0 time: 03:01:57
sppp: phase network authproto pap
groups: pppoe
status: active
inet6 fe80::20d:b9ff:fe43:43b4%pppoe1 ->  prefixlen 64 scopeid 0xa
inet 217.86.xxx.xxx --> 217.5.xxx.xxx netmask 0x


Further I created two vlans over em2, one for the public wifi (vlan64) and
one for private lan (vlan32)

$ cat /etc/hostname.vlan32

inet 10.10.10.1 255.255.255.0 10.10.10.255 vlan 32 vlandev em2

$ cat /etc/hostname.vlan64
inet 10.64.0.1 255.192.0.0 10.127.255.255 vlan 64 vlandev em2


My pf.conf for the single WAN-uplinke looks like this.
I outlined the parts where I try to do the dual-WAN-NAT without success so
far.
My idea is to add pppoe1 to group egress.
But even without that I loose internet-connection for all my
network-clients.


# cat /etc/pf.conf

#   $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

int_if="{ vlan32 vlan64 }"
ext_if="{ pppoe0 pppoe1 }"
icmp_types="{ echoreq }"
icmp6_types="{ echoreq }"
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress from !(egress:network) to any nat-to (egress)
block in quick on egress from  to any
block return out quick on egress from any to 
block all
pass out quick inet
pass in on $int_if inet

# START: here I´m playing around to get NAT working
pass in on vlan inet route-to (egress egress:network) round-robin
pass in on vlan proto tcp from vlan:network to port https route-to (egress
egress:network)
# END

# START: here I want to block wifi-guests to have access to office-lan but
doesn´t seem to work too.
block return out from vlan64:network to vlan32:network
#END

pass in on egress inet proto icmp icmp-type $icmp_types
pass in on egress inet6 proto icmp6 all
pass in on egress inet proto tcp from any to (egress) port 22
pass in on egress inet6 proto tcp from any to (egress) port 22



#pfctl -nf /etc/pf.conf
seems to be fine too.




I want to achieve three things:

1.) proper load balancing over both WAN-uplinks

2.) reject access from public-wifi (vlan64) to office-lan (vlan32)

3.) always prefer packets from vlan32 over vlan64

4.) general advice for this setup if you spot some problems I´m not aware
of. ;-)


Thanks in advance, I hope someone can help!

best,
Thomas


# dmesg

OpenBSD 6.2 (GENERIC.MP) #5: Fri Feb  2 23:02:19 CET 2018
r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/
GENERIC.MP
real mem = 4261076992 (4063MB)
avail mem = 4124921856 (3933MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries)
bios0: vendor coreboot version "88a4f96" date 03/11/2016
bios0: PC Engines apu2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S2 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4)
UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-412TC SOC, 998.26 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fu