[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions about routing & multple external interfaces



hello,
I have some questions about using route-to and multiple external
interfaces.
I have two internet connections. One is a cable modem, the other is
provided by the building i'm in. The building's connection is just
a DSL line which gets NATed before it comes through the hole in my
wall, so fxp0 has a non-routeable IP but I don't think that should
really matter.
unnecessary ascii diagram:
                                         +----[OpenBSD Box]----+
.--$ext_con1_gw-----.                     |                     ||cable provider's   | [cable modem]  +----+-[dc0 24.1.2.3]      ||gateway 24.1.2.254 +----------------+    | [$ext_con1_if]      |`--------+----------'                     |                     |        |                                |                     |        +                                |                     | (( Internet  ))                         |                     | ((   Cloud   ))                         | [sis0 10.10.10.254]-+--+
        +                                | [$int_if]           |  |        |                                |                     |  |[dsl modem, telco]                       |                     |  |        |                                |                     |  |.--$ext_con2_gw-----.                     |                     |  ||building's         | [172.16.1.0/24] +---+-[fxp0 172.16.1.200] |  ||gateway 172.16.1.1 +-----------------+   | [$ext_con2_if]      |  |`-------------------' (building net)      +---------------------+  |                                                                  |                                                   +--------------+
                                                   +
                                         ((   10.10.10.0/24     ))
                                         (( my internal network ))
                                                   +
To keep things simple I'm using the example of using pools and
round-robin load balancing from the PF to start.
http://openbsd.org/faq/pf/pools.html
First I have a couple questions regarding the example:
I'm slightly confused by these two rules. Does it matter where they
appear in the pf.conf in terms of order? Are they necessary? I realize
this means if a packet on $ext_if1 has $ext_if2's source address, pass
it and route it out through $ext_if2 to $ext_gw2 (and vice versa)
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
   to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
   to any
In the example, the "general pass out rules" use "modulate state" for
outgoing tcp. Is there a reason for this related to routing on multiple
external interfaces or does this example just happen to modulate the
state on those packets?
Another question I have regarding the pools example, and I apologize if
this has been asked before. Concerning the following rule, is filtering
on the internal interface the only way to force this traffic (from
internal network to internet) out through an external interface
other than then default?
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state
The reason I ask is that I would like to be able to route traffic from
the OpenBSD box itself or from the internal network to one of the two
interfaces based on it's source IP address.. And each time I try, I
either break things or the rules don't work as well as I'd like.
To explain, unlike the example pf.conf that I started with, my goal
is not round-robin load balancing. I want anything with a source ip
address belonging to $ext_if2 to go out on $ext_if2 and be routed to
$ext_gw2 and vice versa on the other interface. I'm not 100% sure if
this is possible.
What I want to do with this is be able to run something on the OpenBSD
machine that binds to one of the external IPs (ie: squid, an irc client,
nmap, etc.) and have it work normally, going out on the right interface
to the right gateway. I also want to be able to make certain traffic
from the internal network NATted out on the interface I choose.  For
example, to make traffic from a specific workstation to always use
the slower connection, or to have traffic destined for certain internet
IPs to always get sent out on a specific external interface.
I've been experimenting with my pf.conf while I've been writing this
email. At this point I have most of what I need to work now working.
I'm still not able to get connections coming from the OpenBSD box to go
out on it's second interface, specifically squid. This is probably what
I really need help with. I'm 99% sure this is not a problem with squid.
I have tcp_outgoing_address set to my second external interface's IP
address in squid.conf and at one point I was able to make it work
(albeit, while breaking other things) with a rule something like:
pass  out quick route-to ($ext_con2_if $ext_con2_gw) from $ext_con2_if \
   to any user _squid
Many thanks to whoever replies. Any suggestions are appreciated.
Cheers,
ben.
And now the pf.conf
# basic nat for both interfaces
nat on $ext_con1_if from $int_net to any -> ($ext_con1_if)
nat on $ext_con2_if from $int_net to any -> ($ext_con2_if)
# default deny
block in  from any to any
block out from any to any
# don't restrict loopback interface
pass     quick on lo0 all
# don't break various services while using this test pf.conf
pass  in  on $ext_con1_if proto tcp from any to any port { smtp, auth } \
   flags S/SA keep state
# pass in quick packets going to the gateway itself (this box)
pass  in quick on $int_if from $int_net to $int_if
# allow traffic to the internal lan from anywhere
pass  out      on $int_if from any      to $int_net
# allow traffic from the internal lan to anywhere. this has the side
# effect of passing/routing lan traffic out to the default if/gate
pass  in       on $int_if from $int_net to any
# always route addresses in <route_thru_conX> through conX
pass  in on $int_if route-to ($ext_con1_if $ext_con1_gw) \
   from any to <route_thru_con1> flags S/SA keep state
pass  in on $int_if route-to ($ext_con2_if $ext_con2_gw) \
   from any to <route_thru_con2> flags S/SA keep state
# general "pass out" rules for external interfaces
pass  out on $ext_con1_if proto tcp from any to any flags S/SA modulate state
pass  out on $ext_con1_if proto { udp, icmp } from any to any keep state
pass  out on $ext_con2_if proto tcp from any to any flags S/SA modulate state
pass  out on $ext_con2_if proto { udp, icmp } from any to any keep state
# route traffic out through the correct interfaces
pass  out on $ext_con1_if route-to ($ext_con2_if $ext_con2_gw) \
   from $ext_con2_if to any
pass  out on $ext_con2_if route-to ($ext_con1_if $ext_con1_gw) \
   from $ext_con1_if to any