Source based routing

Oliver Peter lists at peter.de.com
Wed Sep 24 14:18:28 UTC 2014 

On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote:
> Hi all,
> 
> I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do...  Here is my scenario:
> 
> I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet.  The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets.  Incoming access will be controlled by radius based on IP address.  Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on).
> 
> The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2).
> 
> I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables.  I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet.  I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance):
> 
> My current pf.conf:
> 
> nat on ! tap0 from any to any port ssh -> 10.1.9.59
> nat on ! tap1 from any to any port ssh -> 10.1.9.60
> nat on ! tap2 from any to any port ssh -> 10.1.9.61
> 
> All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on.  I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP.
> 
> Anyone have any ideas or suggestions as to how to accomplish this?

Checkout the Routing section in pf.conf and give 'route-to' a try,
example for outgoing traffic could be:

        pass out log quick on $ext_if route-to tap0 from (tap0:network) to any port ssh


-- 
Oliver PETER       oliver at gfuzz.de       0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20140924/fe4f0f3b/attachment.sig>

More information about the freebsd-pf mailing list