Hello Russell, On Wed, Jan 11, 2012 at 07:46:59AM -0500, Russell Garrison wrote: > Have you considered routing domains?
no I have not. According to your hint I started to study their concept, but have not found a description that would meet my situation. Thanks for your idea and best regards Torsten > On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke > <torsten.fi...@igh-essen.com> wrote: > > Hello Jorge, > > > >> I read again your mail and now i'm lost ! > >> > >> You Wrote: > >> > >> "How can I force my Extl. FW to reply on exactly the same interface it > >> > > had been requested on? For example I am running OpenVPN(1194/UDP) > >> > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > >> > > would appretiate SSH-portforwarding from Internet to the Intl. FW. " > >> > >> > >> SSH port forwarding from internet to Internal server is something like : > >> > >> ext_if=vr0 > >> ext_ip=1.2.3.4 > >> Spvt= 4.5.6.7 > >> > >> match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to $Spvt > >> > >> pass in on $ext_if proto tcp from any to $Spvt port 22 > >> pass out on $int_if proto tcp from any to $Spvt port 22 > >> > >> > >> > >> > >> The above line redirects all traffic coming from any place in internet to > >> my external IP ( 1.2.3.4) to the server 4.5.6.7 which is located in my > >> internal lan, in other words the packet comes in on external interface , > >> goes out on internal interface .. > >> > >> These works on OpenBSD 4.8 or newer ! > >> > >> Is this what you need ? > > > > no. Obviously I have not explained clearly what my problem is. > > > > On my firewall I have TWO different internet connections. It is simple to > > forward - for instance ssh - > > from both connections to an internal machine. Now this machine answers and > > the > > firewall sends the reply back. How can I force the firewall to send the > > reply > > over exactly that interface the request came in? The problem is that the > > client anywhere on the internet expects the answer from the very address it > > had contacted. If now the reply comes from another address, it will get > > lost. > > > > > > Best regards > > > > Torsten > > > > > > > >> On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < > >> torsten.fi...@igh-essen.com> wrote: > >> > >> > Hello Jorge, > >> > > >> > > If i understood you well, the answer to your question is here ! > >> > > > >> > > > >> > > http://www.openbsd.org/faq/pf/pools.html > >> > > > >> > > Under the section Load Balancing outgoing traffic, or take a look at: > >> > > > >> > > http://www.openbsd.org/faq/faq6.html#Multipath > >> > > > >> > > > >> > > There are good examples there ! > >> > > > >> > > I hope this can help ! > >> > > >> > thank you for this. The FAQ on pools has nice examples but none of them > >> > really > >> > faces my problem. It discusses load balancing of incoming traffic to > >> > several > >> > servers as well as load balancing of outgoing traffic. I cannot figure > >> > out > >> > how > >> > to dispatch replies to incoming requests over different connections. > >> > > >> > The FAQ on multipath has helped me very well to set up multiple default > >> > routes > >> > - this works very well. > >> > > >> > Best regards > >> > > >> > Torsten > >> > > >> > > >> > > > Dear List, > >> > > > > >> > > > Here I show my network topology. Maybe it seems quite typical. My > >> > > > internal network is located behind an Intl/Extl Firewall which is > >> > > > connected to the Internet(IN) via pppoe/ppp(8). On the other side I > >> > > > run > >> > > > different systems, for instance a home office network, a mobile > >> > > > laptop, > >> > > > and several customers. > >> > > > > >> > > > > >> > > > +---+ +---+ > >> > > > | A | | B | (PC) > >> > > > +-+-+ +-+-+ > >> > > > | | +---------+ > >> > > > --+-----+---| Intl FW |---(DMZ)---+ > >> > > > (LAN/int) +---------+ | > >> > > > | > >> > > > +---------------------------------------+ > >> > > > | +---+ > >> > > > | ____ | Z | > >> > > > (PC) > >> > > > | ( ) +---+ > >> > > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ | > >> > > > | | |--------------| DSL-Modem |--( )--| GW |----+- > >> > > > | | | rl0/tun0 +-----------+ ( ) +----+ > >> > (HomeOffice) > >> > > > +--| Extl FW | ( IN ) +----------+ > >> > > > | | pppoe/ppp(8) +-----------+ ( )--| Customer | > >> > > > | |--------------| DSL-Modem |--( ) +----------+ > >> > > > +---------+ rl1/tun1 +-----------+ ( ) +--------+ > >> > > > OpenBSD 4.8 (____)--| Mobile | > >> > > > +--------+ > >> > > > > >> > > > My question is about the setup of routing and packet filtering on the > >> > > > External Firewall: > >> > > > > >> > > > How can I force my Extl. FW to reply on exactly the same interface it > >> > > > had been requested on? For example I am running OpenVPN(1194/UDP) > >> > > > between my HomeOffice (Z=Client) and the Intl. FW(=Server). Alike I > >> > > > would appretiate SSH-portforwarding from Internet to the Intl. FW. > >> > > > > >> > > > I tried using "route-to" and "reply-to", but that did not work - > >> > > > PF.CONF(5) says this should do, but I could not figure out, how. I > >> > > > did > >> > > > not not understand how "route-to" and "reply-to" actually work (could > >> > > > not find any explanation, though I have tried hard to search for). > >> > > > > >> > > > Everything else (NAT, outbound load balancing, filtering) works just > >> > > > fine. > >> > > > > >> > > > My routing is: > >> > > > > >> > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 tun0 > >> > > > default XXX.X.XX.XXX UGSP 0 988 - 8 tun1 > >> > > > > >> > > > I manage my multipath routes (net.inet.ip.multipath=1) via > >> > > > - ppp.linkup: > >> > > > MYADDR: > >> > > > shell route add -mpath default HISADDR > >> > > > > >> > > > - ppp.linkdown > >> > > > MYADDR: > >> > > > shell route delete -mpath default HISADDR > >> > > > > >> > > > What I tried in pf.conf is: > >> > > > > >> > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > >> > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > >> > > > > >> > > > Asking PF statistics (pfctl -v -s rules) shows that no packet has > >> > > > been > >> > > > operated by those "reply-to" rules. > >> > > > > >> > > > Since I consider PF a brilliant concept I would really appretiate any > >> > > > hint that would help. Thanks to all OpenBSD developers for their > >> > > > great > >> > > > work and thanks for any advice. > >> > > > > >> > > > > >> > > > Best regards > >> > > > > >> > > > Torsten > >> > > > > >> > > > > >> > > > -- > >> > > > > >> > ------------------------------------------------------------------------ > >> > > > Torsten Finke > >> > > > f...@igh-essen.com > >> > > > > >> > ------------------------------------------------------------------------ > >> > > > > >> > > > > >> > > > >> > > > >> > > -- > >> > > Cordialmente, > >> > > > >> > > 00110111 00111011 > >> > > >> > > >> > -- > >> > ------------------------------------------------------------------------ > >> > Torsten Finke > >> > f...@igh-essen.com > >> > ------------------------------------------------------------------------ > >> > > >> > > >> > >> > >> -- > >> Cordialmente, > >> > >> 00110111 00111011 > > > > -- > > ------------------------------------------------------------------------ > > Torsten Finke > > f...@igh-essen.com > > ------------------------------------------------------------------------ > > -- ------------------------------------------------------------------------ Torsten Finke f...@igh-essen.com ------------------------------------------------------------------------
