I ran OpenVPN on the loopback and did an rdr (back in the day). It has worked for me.
http://marc.info/?l=openbsd-misc&m=119446553412564&w=2 -Steve S. > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf > Of Dr.-Ing. Torsten Finke > Sent: Wednesday, January 11, 2012 10:48 AM > To: misc@openbsd.org > Subject: Re: Multiple ISP-connections/Routing/Packet filtering > > Hello Russell, > > On Wed, Jan 11, 2012 at 07:46:59AM -0500, Russell Garrison wrote: > > Have you considered routing domains? > > > no I have not. According to your hint I started to study their concept, > but have not found a description that would meet my situation. > > > Thanks for your idea and > > best regards > > > Torsten > > > > On Tue, Jan 10, 2012 at 1:41 PM, Dr.-Ing. Torsten Finke > > <torsten.fi...@igh-essen.com> wrote: > > > Hello Jorge, > > > > > >> I read again your mail and now i'm lost ! > > >> > > >> You Wrote: > > >> > > >> "How can I force my Extl. FW to reply on exactly the same interface > > >> it > > >> > > had been requested on? For example I am running > > >> > > OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the > > >> > > Intl. FW(=Server). Alike I would appretiate SSH-portforwarding > from Internet to the Intl. FW. " > > >> > > >> > > >> SSH port forwarding from internet to Internal server is something > like : > > >> > > >> ext_if=vr0 > > >> ext_ip=1.2.3.4 > > >> Spvt= 4.5.6.7 > > >> > > >> match in on $ext_if proto tcp from any to $ext_ip port 22 rdr-to > > >> $Spvt > > >> > > >> pass in on $ext_if proto tcp from any to $Spvt port 22 pass out on > > >> $int_if proto tcp from any to $Spvt port 22 > > >> > > >> > > >> > > >> > > >> The above line redirects all traffic coming from any place in > > >> internet to my external IP ( 1.2.3.4) to the server 4.5.6.7 which > > >> is located in my internal lan, in other words the packet comes in > > >> on external interface , goes out on internal interface .. > > >> > > >> These works on OpenBSD 4.8 or newer ! > > >> > > >> Is this what you need ? > > > > > > no. Obviously I have not explained clearly what my problem is. > > > > > > On my firewall I have TWO different internet connections. It is > > > simple to forward - for instance ssh - from both connections to an > > > internal machine. Now this machine answers and the firewall sends > > > the reply back. How can I force the firewall to send the reply over > > > exactly that interface the request came in? The problem is that the > > > client anywhere on the internet expects the answer from the very > address it had contacted. If now the reply comes from another address, > it will get lost. > > > > > > > > > Best regards > > > > > > Torsten > > > > > > > > > > > >> On Tue, Jan 10, 2012 at 10:46 AM, Dr.-Ing. Torsten Finke < > > >> torsten.fi...@igh-essen.com> wrote: > > >> > > >> > Hello Jorge, > > >> > > > >> > > If i understood you well, the answer to your question is here ! > > >> > > > > >> > > > > >> > > http://www.openbsd.org/faq/pf/pools.html > > >> > > > > >> > > Under the section Load Balancing outgoing traffic, or take a > look at: > > >> > > > > >> > > http://www.openbsd.org/faq/faq6.html#Multipath > > >> > > > > >> > > > > >> > > There are good examples there ! > > >> > > > > >> > > I hope this can help ! > > >> > > > >> > thank you for this. The FAQ on pools has nice examples but none > > >> > of them really faces my problem. It discusses load balancing of > > >> > incoming traffic to several servers as well as load balancing of > > >> > outgoing traffic. I cannot figure out how to dispatch replies to > > >> > incoming requests over different connections. > > >> > > > >> > The FAQ on multipath has helped me very well to set up multiple > > >> > default routes > > >> > - this works very well. > > >> > > > >> > Best regards > > >> > > > >> > Torsten > > >> > > > >> > > > >> > > > Dear List, > > >> > > > > > >> > > > Here I show my network topology. Maybe it seems quite > > >> > > > typical. My internal network is located behind an Intl/Extl > > >> > > > Firewall which is connected to the Internet(IN) via > > >> > > > pppoe/ppp(8). On the other side I run different systems, for > > >> > > > instance a home office network, a mobile laptop, and several > customers. > > >> > > > > > >> > > > > > >> > > > +---+ +---+ > > >> > > > | A | | B | (PC) > > >> > > > +-+-+ +-+-+ > > >> > > > | | +---------+ > > >> > > > --+-----+---| Intl FW |---(DMZ)---+ > > >> > > > (LAN/int) +---------+ | > > >> > > > | > > >> > > > +---------------------------------------+ > > >> > > > | > +---+ > > >> > > > | ____ | > Z | (PC) > > >> > > > | ( ) > +---+ > > >> > > > | +---------+ pppoe/ppp(8) +-----------+ ( ) +----+ > | > > >> > > > | | |--------------| DSL-Modem |--( )--| GW |--- > -+- > > >> > > > | | | rl0/tun0 +-----------+ ( ) +----+ > > >> > (HomeOffice) > > >> > > > +--| Extl FW | ( IN ) +-------- > --+ > > >> > > > | | pppoe/ppp(8) +-----------+ ( )--| > Customer | > > >> > > > | |--------------| DSL-Modem |--( ) +-------- > --+ > > >> > > > +---------+ rl1/tun1 +-----------+ ( ) +-------- > + > > >> > > > OpenBSD 4.8 (____)--| Mobile > | > > >> > > > > > >> > > > +--------+ > > >> > > > > > >> > > > My question is about the setup of routing and packet > > >> > > > filtering on the External Firewall: > > >> > > > > > >> > > > How can I force my Extl. FW to reply on exactly the same > > >> > > > interface it had been requested on? For example I am running > > >> > > > OpenVPN(1194/UDP) between my HomeOffice (Z=Client) and the > > >> > > > Intl. FW(=Server). Alike I would appretiate SSH- > portforwarding from Internet to the Intl. FW. > > >> > > > > > >> > > > I tried using "route-to" and "reply-to", but that did not > > >> > > > work - > > >> > > > PF.CONF(5) says this should do, but I could not figure out, > > >> > > > how. I did not not understand how "route-to" and "reply-to" > > >> > > > actually work (could not find any explanation, though I have > tried hard to search for). > > >> > > > > > >> > > > Everything else (NAT, outbound load balancing, filtering) > > >> > > > works just fine. > > >> > > > > > >> > > > My routing is: > > >> > > > > > >> > > > default XXX.X.XX.XXX UGSP 2 101853 - 8 > tun0 > > >> > > > default XXX.X.XX.XXX UGSP 0 988 - 8 > tun1 > > >> > > > > > >> > > > I manage my multipath routes (net.inet.ip.multipath=1) via > > >> > > > - ppp.linkup: > > >> > > > MYADDR: > > >> > > > shell route add -mpath default HISADDR > > >> > > > > > >> > > > - ppp.linkdown > > >> > > > MYADDR: > > >> > > > shell route delete -mpath default HISADDR > > >> > > > > > >> > > > What I tried in pf.conf is: > > >> > > > > > >> > > > pass in on tun0 all keep state reply-to ( tun0 tun0:peer ) > > >> > > > pass in on tun1 all keep state reply-to ( tun1 tun1:peer ) > > >> > > > > > >> > > > Asking PF statistics (pfctl -v -s rules) shows that no packet > > >> > > > has been operated by those "reply-to" rules. > > >> > > > > > >> > > > Since I consider PF a brilliant concept I would really > > >> > > > appretiate any hint that would help. Thanks to all OpenBSD > > >> > > > developers for their great work and thanks for any advice. > > >> > > > > > >> > > > > > >> > > > Best regards > > >> > > > > > >> > > > Torsten > > >> > > > > > >> > > > > > >> > > > -- > > >> > > > > > >> > ----------------------------------------------------------------- > > >> > ------- > > >> > > > Torsten Finke > > >> > > > f...@igh-essen.com > > >> > > > > > >> > ----------------------------------------------------------------- > > >> > ------- > > >> > > > > > >> > > > > > >> > > > > >> > > > > >> > > -- > > >> > > Cordialmente, > > >> > > > > >> > > 00110111 00111011 > > >> > > > >> > > > >> > -- > > >> > ----------------------------------------------------------------- > > >> > ------- > > >> > Torsten Finke > > >> > f...@igh-essen.com > > >> > ----------------------------------------------------------------- > > >> > ------- > > >> > > > >> > > > >> > > >> > > >> -- > > >> Cordialmente, > > >> > > >> 00110111 00111011 > > > > > > -- > > > -------------------------------------------------------------------- > > > ---- > > > Torsten Finke > > > f...@igh-essen.com > > > -------------------------------------------------------------------- > > > ---- > > > > > -- > ------------------------------------------------------------------------ > Torsten Finke > f...@igh-essen.com > ------------------------------------------------------------------------
