3 gateways problem
Claudiu Dragalia-Paraipan
dr.clau at gmail.com
Tue Nov 30 11:01:10 PST 2004
Hi,
maybe this helps you. It is a part of the PF FAQ that you can find at
http://www.openbsd.org/faq/pf/
---------- http://cvs.openbsd.org/faq/pf/pools.html
...
To ensure that packets with a source address belonging to $ext_if1 are
always routed to $ext_gw1 (and similarly for $ext_if2 and $ext_gw2), the
following two lines should be included in the ruleset:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
to any
Finally, NAT can also be used on each outgoing interface:
nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)
...
----------
Robert M wrote:
> Hello,
>
> I have a problem with source routing via 3 gateways.
>
> All I need, is to be able to get in to my local
> machine
> via 'rdr' rule.
>
> All connections are routed via firewall box
> with 4 ethernet cards.
>
> I don't want this done via 'binat' ruel as I only
> want to rdr some ports.
>
> When telneting from external host to:
> 83.16.196.130 port 22 -> I want to be redirected to
> 192.168.1.1 port 22
> As well as:
> 194.110.229.163 port 22 -> 192.168.1.1 22
>
> This also can be done by adding a new eg. 192.168.1.2
> IP to my local machine, but it requires daemon binging
> setting changes.. so I'd rather not.
>
> The problem is that 1/2 connections are estabilished
> properly.
>
> I assume it's a problem with rule:
> pass in quick on $ifInt route-to { ($ifDSL3
> $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
> $netLocal keep state
>
> where system doesn't know, which gateway should be
> used
> for return packet.
>
> Below is my pf.conf (sorry it's messy a little).
>
> OS: FreeBSD fw 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Fri
> Jul 16 16:17:52 UTC 2004
> root at fw:/usr/obj/usr/src/sys/TUNED i386
>
> Thank you!
>
> Regards,
> Robert
>
> ------- pf.conf -----
> # vars
> ifInt="rl0"
> ifDSL1="rl1"
> ifDSL2="rl2"
> ifDSL3="rl3"
>
> exLocal="192.168.0.3"
> exDSL3="194.110.229.164"
> robertLocal="192.168.0.4"
> robertDSL3="194.110.229.165"
> develDSL3="194.110.229.163"
> fwDSL3="194.110.229.162"
>
> ## networds
> netDSL1="83.16.196.120/29" # dsl1
> gwDSL1="83.16.196.121" # gw
>
> netDSL2="83.16.196.128/29" # dsl2
> gwDSL2="83.16.196.129" # gw
>
> netPSN="192.168.0.0/24" # Private Service
> Network (
>
> netDMZ="192.168.1.0/24" # Demilitarized Zone
> (hostDevel)
> hostDevel="192.168.1.1" # devel
> netLocal="192.168.0.0/16" # psn+dmz
>
> netDSL3="194.110.229.160/27" # DSL3
> gwDSL3="194.110.229.161" # gw
>
> ## altq
> altq on $ifDSL1 priq bandwidth 250Kb queue { q1pri,
> q1ssh, q1def }
> queue q1pri priority 7
> queue q1ssh priority 5
> queue q1def priority 1 priq(default)
>
> altq on $ifDSL2 priq bandwidth 250Kb queue { q2pri,
> q2ssh, q2def }
> queue q2pri priority 7
> queue q2ssh priority 5
> queue q2def priority 1 priq(default)
> altq on $ifDSL3 priq bandwidth 2000Kb queue { q3pri,
> q3ssh, q3def }
> queue q3pri priority 7
> queue q3ssh priority 5
> queue q3def priority 1 priq(default)
>
>
> ## nat 1:n (output)
> nat on $ifDSL1 from $netLocal to ! $netLocal ->
> 83.16.196.122 # dsl1
> nat on $ifDSL2 from $hostDevel to ! $netLocal ->
> 83.16.196.130 # dsl2
> nat on $ifDSL2 from $netLocal to ! $netLocal ->
> 83.16.196.130
> nat on $ifDSL3 from $netLocal to ! $netLocal ->
> 194.110.229.162 # DSL3
> nat on $ifDSL3 from 192.168.1.1 to ! $netLocal ->
> $develDSL3 # devel(DSL3)
>
> ## nat 1:1 (input)
> # devel
> rdr on $ifDSL1 proto tcp from any to
> 83.16.196.123 port { 21, 22, 25, 80, 110, 443, 465,
> 993, 995, 19000:19500 } -> 192.
> 168.1.1
> rdr on $ifDSL2 proto tcp from any to
> 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 465,
> 993, 995, 19000:19500 } -> 192.
> 168.1.1
> rdr on $ifDSL3 proto tcp from any to
> 194.110.229.163 port { 21, 22, 25, 80, 110, 443, 465,
> 993, 995, 19000:19500 } -> 19
> 2.168.1.1
>
> rdr on $ifDSL2 proto tcp from any to
> 83.16.196.131 port { 25 } -> 192.168.1.1 port 2030
> rdr on $ifInt proto tcp from $netLocal to
> 83.16.196.130 port { 21, 22, 25, 80, 110, 443, 137,
> 138, 139, 465, 993, 995, 2401 }
> -> 192.168.1.1
>
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 443 } -> 192.168.0.3 port 22
> rdr on $ifDSL2 proto tcp from any to 83.16.196.130
> port { 6100, 6101, 6102 } -> 192.168.0.3
>
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 5900 } -> 192.168.0.4
>
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 5901 } -> 192.168.0.6 port 5900
> rdr on $ifDSL2 proto tcp from any to 83.16.196.130
> port { 5901 } -> 192.168.0.6 port 5900
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 5801 } -> 192.168.0.6
> rdr on $ifDSL1 proto udp from any to 83.16.196.122
> port { 5801 } -> 192.168.0.6
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 5903 } -> 192.168.0.24 port 3389
>
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 3389 } -> 192.168.0.24
> rdr on $ifDSL1 proto tcp from any to 83.16.196.122
> port { 3390 } -> 192.168.0.5 port 3389
> rdr on $ifDSL1 proto tcp from 80.55.58.238 to
> 83.16.196.122 port { 6000 } -> 192.168.0.9 port 6000
> rdr on $ifDSL1 proto udp from 80.55.58.238 to
> 83.16.196.122 port { 177 } -> 192.168.0.9 port 177
> rdr on $ifDSL1 proto tcp from 80.55.58.238 to
> 83.16.196.122 port { 22 } -> 192.168.0.9 port 22
> rdr on $ifDSL2 proto tcp from any to 83.16.196.132
> port { 25 } -> 192.168.1.1 port 27
>
> ## binat
> binat on $ifDSL3 from $exLocal to ! $netLocal ->
> $exDSL3
> binat on $ifDSL3 from $robertLocal to ! $netLocal ->
> $robertDSL3
>
> # source routing
> pass in quick on $ifInt route-to { ($ifDSL3
> $gwDSL3),($ifDSL3 $gwDSL3) } from 192.168.1.1 to !
> $netLocal keep state
> pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
> from any to 136.159.158.52 keep state # -> myweb via
> dsl2
> pass in quick on $ifInt route-to { ($ifDSL3 $gwDSL3) }
> from { 192.168.0.3 , 192.168.0.4 } to ! $netLocal keep
> state # -> DSL3
> pass in quick on $ifInt route-to { ($ifDSL1 $gwDSL1) }
> from $netPSN to ! $netLocal keep state # -> dsl1
> pass in quick on $ifInt route-to { ($ifDSL2 $gwDSL2) }
> from $netDMZ to ! $netLocal keep state # -> dsl2
>
> # queues
> # DSL1
> pass out on $ifDSL1 proto tcp from any to any port 22
> flags S/SA \
> keep state queue (q1ssh, q1pri)
> pass out on $ifDSL1 proto tcp from $ifDSL1 to any
> flags S/SA \
> keep state queue (q1def, q1pri)
> pass in on $ifDSL1 proto tcp from any to $ifDSL1
> flags S/SA \
> keep state queue (q1def, q1pri)
>
> #DSL 2
> pass out on $ifDSL2 proto tcp from any to any port 22
> flags S/SA \
> keep state queue (q2ssh, q2pri)
> pass out on $ifDSL2 proto tcp from $ifDSL2 to any
> flags S/SA \
> keep state queue (q2def, q2pri)
> pass in on $ifDSL2 proto tcp from any to $ifDSL2
> flags S/SA \
> keep state queue (q2def, q2pri)
>
>
> #DSL3
> pass out on $ifDSL3 proto tcp from any to any port 22
> flags S/SA \
> keep state queue (q3ssh, q3pri)
> pass out on $ifDSL3 proto tcp from $ifDSL3 to any
> flags S/SA \
> keep state queue (q3def, q3pri)
> pass in on $ifDSL3 proto tcp from any to $ifDSL3
> flags S/SA \
> keep state queue (q3def, q3pri)
> --- end of pf.conf ----
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
Claudiu Dragalina-Paraipan
dr.clau at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041130/4e30ded8/signature.bin
More information about the freebsd-pf
mailing list