PF or IPFW basic nat firewall with fibs

PaulWebster

PaulWebster

Good day all,

I am attemping to utilize 3 seperate internet connections and am struggling desperately getting either ipfw or pf to work with them.

The setup is as thus:
em0 -> standard lan type gateway - fib 0
ng0 -> PPPoE connection - fib 1
ng1 -> PPPoE connection fib 2
re0 -> LAN 172.31.5.0/24

ng0 and ng1 have the same remote gateway

setfib 0 ping 1.1.1.1
setfib 1 ping 1.1.1.1
setfib 2 ping 1.1.1.1

All work from their expected public ips.

I really just need a simple NAT firewall that will work with fib 1 or fib 2 for ipfw or pf, I should be able to figure it out from there but the resource for dealing with fibs are quite thin and I just cannot figure out how to get them to work.
 
if I down em0 and make it so ng0 is on fib 0 then the normal firewall works as expected (just adding to prove the appropriate nat stuff for mpd5 are working)
 
For anyone wondering I still have not figured out ipfw and fibs ... however some light with pf, before reading it beware this is just the simplest I could make. To work from, the reason for the assignments is:
em0 -> 4G connection, kind of a backup - used for the gateway its self and any jails or vms its running
ng0 -> PPPoE connection that I will use for my computer so work does not get disrupted by the kids or wife youtubing or whatever
ng1 -> PPPoE connection the lan will use for well youtube, netflix etc.

Note the order of the match's I did it this way as everything should be valid for em0, things on the lan are valid for ng1 and finally only my pc is viable for ng1

-- Start of script

ext_if0 = "em0"
ext_if1 = "ng0"
ext_if2 = "ng1"

lan_if = "re0"
lan_net = "172.31.5.0/24"

paul="172.31.5.99/32"

set block-policy drop
set skip on lo0

# NAT sets
nat on $ext_if2 tagged nat2 rtable 2 -> ($ext_if2)
nat on $ext_if1 tagged nat1 rtable 1 -> ($ext_if1)
nat on $ext_if0 tagged nat0 rtable 0 -> ($ext_if0)

# Tag any packets from our lan also put them on the correct fib
match in on $lan_if from any to any rtable 0 tag nat0
match in on $lan_if from $lan_net to ! $lan_net rtable 2 tag nat2
match in on $lan_if from $paul to ! $lan_net rtable 1 tag nat1

# tag packets from the wan to the correct fib
match in on $ext_if0 from any to any rtable 0 tag fib0
match in on $ext_if1 from any to any rtable 1 tag fib1
match in on $ext_if2 from any to any rtable 2 tag fib2


-- End of script
 
You must log in or register to reply here.
Back
Top