multiple ip and gateways

wolffnx

wolffnx

Hi, my problem is very simple but I dont know how to solve it
in my router(FBSD 13) I have 2 network interfaces , 1 is the WAN and the other is the LAN, pretty normal

but in the WAN interface I have multiples Ip's , Rdr rules and one gateway

the traffic from outside ,just enter fine to the firewall, but sometimes get back from the wrong gateway and the conecction from outside
get a timeout

sorry for the simple post,when I have more time I give more info


here is thebig picture:

2 range of public statics ip's associed to various services(I change the ip's for obvius reasons)

wan ip1: 200.54.12.11 / gateway 200.54.12.10
wan ip2: 220.11.11.11 / gateway 220.11.11.10
lan ip : 10.1.1.1

so, in the interface em0(external) I have the wan ip1 as principal and wan ip2 as alias
in the internal (em1) I have the lan ip

in the PF rules i have:

ext_if="em0"
int_if="em1"

ip1="200.54.12.11"
ip2="220.11.11.11"

nat on $ip2 from 10.1.1.11 to any -> $ip2

rdr pass log(all) on $ext_if proto tcp from any to $ip1 port 3000 -> 10.1.1.10 port 22
rdr pass log(all) on $ext_if proto tcp from any to $ip2 port 3001 -> 10.1.1.11 port 22


and in the route table I have 200.54.12.10 as default gateway
so the login attemps to ip2 ends out in timeout because the trafics enter but not go out
(I debug it with tcpdump)
 
covacat said:
after aliasing to ip2 you need to set next hop to the gw for ip2 with a route-to rule
Click to expand...
Im not the guy who wont investigate or test new things,
But can you give me an example?
I lookup for examples on google but seems dificult
 
i suck at pf (and just searched for the equivalent of ipfw fwd)
for ipfw would be
ipfw add 999 fwd $gw2_ip ip from $ext2_ip to any #this rule should come after aliasing to $ext2_ip
without such a rule the packets will reach $gw1_ip where would probably be dropped by egress filtering
maybe this thread will help https://forums.freebsd.org/threads/pf-2-nat.21623/
 
I think what you need is reply-to
The reply-to option is similar to route-to, but routes packets that
pass in the opposite direction (replies) to the specified inter-
face. Opposite direction is only defined in the context of a state
entry, and reply-to is useful only in rules that create state. It
can be used on systems with multiple external connections to route
all outgoing packets of a connection through the interface the in-
coming connection arrived through (symmetric routing enforcement).
Click to expand...

pf.conf(5)

www.freebsd.org www.freebsd.org

It looks like reply-to is only available in pass/block rules, so you'll have to split up your rdr and pass rules. Maybe something like
Code: 
rdr on $ext_if proto tcp from any to $ip2 port 3001 -> 10.1.1.11 port 22
pass in on $ext_if proto tcp from any to $ip2 port 3001 reply-to 220.11.11.10
These are completely untested.
 
Thanks covacat and Jose , btw , Jose the reply-to was in wrong syntax(PF gives a syntax error) but I use it anyway,but no luck
at the end I choose to make 2 firewalls, maybe is a KISS decision,but it works like a charm
 
You could leverage multiple FIBs to simplify that setup, although IMHO FreeBSDs PF syntax in regard to FIBs feels a bit clunky compared to OpenBSD and routing domains, but it also gets the job done.

Each FIB would only know about a single external IP and gateway. Ideally you should also use different prefixes (and vlans) on the internal side to keep traffic separated. E.g. use one public IP only for traffic to/from your client LAN, the other one only for your services which internally run in a separate DMZ network.
 
You must log in or register to reply here.
Back
Top