Hello, Thanks for the information. I have built multiple routing tables and am running separate sshd instances:
# # /etc/rc.local # # Build my alternate routing tables /usr/sbin/setfib 0 /sbin/route add default 10.1.9.58 /usr/sbin/setfib 1 /sbin/route add default 10.1.9.59 /usr/sbin/setfib 2 /sbin/route add default 10.1.9.60 /usr/sbin/setfib 3 /sbin/route add default 10.1.9.61 # Start SSH daemons for each interface /usr/sbin/setfib 0 /usr/sbin/sshd -f /etc/ssh/sshd_config /usr/sbin/setfib 1 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap0 /usr/sbin/setfib 2 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap1 /usr/sbin/setfib 3 /usr/sbin/sshd -f /etc/ssh/sshd_config.tap2 And have tried the following in my pf.conf: pass in log on bce0 inet proto tcp from any to (bce0) port ssh rtable 0 pass in log on tap0 inet proto tcp from any to (tap0) port ssh rtable 1 pass in log on tap1 inet proto tcp from any to (tap1) port ssh rtable 2 pass in log on tap2 inet proto tcp from any to (tap2) port ssh rtable 3 But this still doesn’t work. Any ideas what I’m doing wrong? Thanks! James From: claudiu vasadi [mailto:claudiu.vas...@gmail.com] Sent: Wednesday, September 24, 2014 8:59 AM To: Nagle, Edwin (James) Subject: Re: Source based routing Hi, Have a look at the route-to (ex: pass in log (all) on $int_if route-to { ($ext_if0 $ext_gw0), ($ext_if1 $ext_gw1) } ... etc ... ) and/or rtable (ex: pass in on $ext_if1 proto tcp from any to <ip> port 22 rtable 1) By default, all outbound traffic is using the defaultrouter. On Wed, Sep 24, 2014 at 3:35 PM, Nagle, Edwin (James) <edwin.na...@austinenergy.com<mailto:edwin.na...@austinenergy.com>> wrote: Hi all, I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do... Here is my scenario: I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet. The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets. Incoming access will be controlled by radius based on IP address. Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on). The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2). I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables. I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet. I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance): My current pf.conf: nat on ! tap0 from any to any port ssh -> 10.1.9.59 nat on ! tap1 from any to any port ssh -> 10.1.9.60 nat on ! tap2 from any to any port ssh -> 10.1.9.61 All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on. I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP. Anyone have any ideas or suggestions as to how to accomplish this? Many thanks in advance for any guidance. James _______________________________________________ freebsd-pf@freebsd.org<mailto:freebsd-pf@freebsd.org> mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org<mailto:freebsd-pf-unsubscr...@freebsd.org>" -- Best regards, Claudiu Vasadi _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
