Multiple ISPs: send packets to the interface they came from

Guillaume Filion Tue, 08 Nov 2011 12:32:41 -0800

Hi all,

I'm very new to OpenBSD so please bear with me as I'm certainly doing a
rookie mistake...


I'm using a Soekris net5501 as a loadbalancer using Debian and I want to
switch to OpenBSD.
We have two ISPs coming to the net5501 as vlan1 and vlan10.
My default gateway is set to vlan1.

The problem that I have is that when I try to connect to the ip on
vlan10, the response packets are sent to vlan1 and discarded by the
router because it looks like ip spoofing.

I searched a lot about this but all I can find is about load balancing a
NATed network between multiple ISPs (equal-cost multipath routing). It's
not what I want to do, this machine will not do any NAT.
I also tried using pf route-to but that seems to only work with NAT...

So basically my question is how to tell OpenBSD to send packets to the
interface they came from?

Thanks a lot,
GFK's

PS:
On my debian box, I did it like that:
iface eth1 inet static
    address CC.DD.200.226
    netmask 255.255.255.0
    post-up ip route add CC.DD.200.0/24 dev eth1 src CC.DD.200.226 table uq
    post-up ip route add default via CC.DD.200.1 table uq
    post-up ip rule add from CC.DD.200.0/24 table uq
    post-down ip rule del from CC.DD.200.0/24 table uq

PPS:
Here's an example of the problem:
>From a box outside of the network (delta.sanitized.com) I try to connect
to the OpenBSD box on vlan10:
gfk@delta:~$ ssh -v AA.BB.57.185
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to AA.BB.57.185 [AA.BB.57.185] port 22.
...

On the OpenBSD box, the SYN packets come to vlan10
$ sudo tcpdump -i vlan10 host delta.sanitized.com
tcpdump: listening on vlan10, link-type EN10MB
15:08:45.136610 delta.sanitized.com.53784 > AA.BB.57.185.ssh: S
3553316437:3553316437(0) win 5840 <mss 1380,sackOK,timestamp 373888633
0,nop,wscale 7> (DF)
15:08:51.136691 delta.sanitized.com.53784 > AA.BB.57.185.ssh: S
3553316437:3553316437(0) win 5840 <mss 1380,sackOK,timestamp 373894633
0,nop,wscale 7> (DF)
^C
342 packets received by filter
0 packets dropped by kernel

# but the SYN/ACK are sent back on vlan1, to be then dropped by the router.
$ sudo tcpdump -i vlan1 host delta.sanitized.com
Password:
tcpdump: listening on vlan1, link-type EN10MB
15:08:45.136763 AA.BB.57.185.ssh > delta.sanitized.com.53784: S
307933727:307933727(0) ack 3553316438 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 693277848 373888633> (DF)
15:08:48.127203 AA.BB.57.185.ssh > delta.sanitized.com.53784: S
307933727:307933727(0) ack 3553316438 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 693277854 373888633> (DF)
15:08:51.136784 AA.BB.57.185.ssh > delta.sanitized.com.53784: S
307933727:307933727(0) ack 3553316438 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 693277860 373894633> (DF)
15:08:54.127383 AA.BB.57.185.ssh > delta.sanitized.com.53784: S
307933727:307933727(0) ack 3553316438 win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 693277866 373894633> (DF)
^C
724 packets received by filter
0 packets dropped by kernel

$ ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a7:84
        priority: 0
        trunk: trunkdev trunk0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fecb:a785%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a7:84
        priority: 0
        trunk: trunkdev trunk0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fecb:a786%vr1 prefixlen 64 scopeid 0x2
vr2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cb:a7:86
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
vr3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cb:a7:87
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet6 fe80::200:24ff:fecb:a787%vr3 prefixlen 64 scopeid 0x4
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
trunk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cb:a7:84
        priority: 0
        trunk: trunkproto loadbalance
                trunkport vr1 active
                trunkport vr0 master,active
        groups: trunk
        media: Ethernet autoselect
        status: active
        inet6 fe80::200:24ff:fecb:a784%trunk0 prefixlen 64 scopeid 0x7
vlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cb:a7:84
        priority: 0
        vlan: 1 priority: 0 parent interface: trunk0
        groups: vlan egress
        status: active
        inet6 fe80::200:24ff:fecb:a784%vlan1 prefixlen 64 scopeid 0x8
        inet CC.DD.200.225 netmask 0xffffff00 broadcast CC.DD.200.255
vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cb:a7:84
        priority: 0
        vlan: 10 priority: 0 parent interface: trunk0
        groups: vlan
        status: active
        inet6 fe80::200:24ff:fecb:a784%vlan10 prefixlen 64 scopeid 0x9
        inet AA.BB.57.185 netmask 0xffffffe0 broadcast AA.BB.57.191
pfsync0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: carp pfsync
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:01
        priority: 0
        carp: MASTER carpdev vlan1 vhid 1 advbase 1 advskew 0
        groups: carp
        status: master
        inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xa
        inet CC.DD.200.139 netmask 0xffffff00 broadcast CC.DD.200.255
$ cat /etc/mygate
CC.DD.200.1
$ route -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface
default            CC.DD.200.1      UGS       15     3762     -     8 vlan1
AA.BB.57.160/27   link#9             UC         2        0     -     4
vlan10
AA.BB.57.161      00:21:a0:a3:2d:44  UHLc       0        2     -     4
vlan10
AA.BB.57.163      00:23:33:be:5c:8f  UHLc       0        0     -     4
vlan10
127/8              127.0.0.1          UGRS       0        0 33196     8 lo0
127.0.0.1          127.0.0.1          UH         1        0 33196     4 lo0
CC.DD.200/24     link#8             UC         4        0     -     4 vlan1
CC.DD.200.1      00:13:7f:16:dd:84  UHLc       1        0     -     4 vlan1
CC.DD.200.21     00:0c:29:7a:59:b3  UHLc       0       15     -     4 vlan1
CC.DD.200.74     00:24:81:8f:63:e6  UHLc       1     7417     -     4 vlan1
CC.DD.200.139    CC.DD.200.139    UH         0        0     -     4 carp0
CC.DD.200.213    00:0c:29:f9:bc:d5  UHLc       0       15     -     4 vlan1
224/4              127.0.0.1          URS        0        0 33196     8 lo0
$

Multiple ISPs: send packets to the interface they came from

Reply via email to