On Sun, Sep 08, 2013 at 12:47:28AM +0100, Simon Slaytor wrote:
> On 07/09/2013 23:22, Florian Obser wrote:
> >So you have 172.16.10.254 on two interfaces on the same box? I don't
> >think that will end well. I would go with two firewalls, one nats NetA,
> >the other nats NetB and put a link net in between.
> >
> Yes I was thinking this myself, just wondering if I could do
> something with VRF's and PF's route to as a way to avoid this?
>
Of course, you can do this with rdomains and PF on OpenBSD.
I attached an example below. The PF bits can probably be simplified,
but I currently don't remember if there was a nicer way to do this.
This example has some limitations when it comes to the gateway itself;
you cannot reach the gateway address from the remote side (172.16.20.1
from NET_A).
# ifconfig em0 rdomain 1 172.16.10.1/24
# ifconfig em1 rdomain 2 172.16.10.1/24
/etc/pf.conf:
---snip---
net_a_if="em0"
net_b_if="em1"
block in
pass out
pass in on rdomain 1 to 172.16.20.0/24 rdr-to 172.16.10.0/24 bitmask \
route-to $net_b_if tag NET_A rtable 2
pass out on rdomain 2 nat-to 172.16.30.0/24 static-port bitmask tagged NET_A
pass in on rdomain 2 to 172.16.30.0/24 rdr-to 172.16.10.0/24 bitmask \
route-to $net_a_if tag NET_B rtable 1
pass out on rdomain 1 nat-to 172.16.20.0/24 static-port bitmask tagged NET_B
---snap---
Reyk
