Re: Your opinion about using rdomain or mpath

Wed, 14 Oct 2015 06:49:44 -0700 

On 10/14/2015 01:17 PM, Giancarlo Razzolini wrote:

Em 14-10-2015 09:28, C.L. Martinez escreveu:

I am using an OpenBSD vm to act as a firewall for my laptop and as
openVPN client to connect to several openvpn/ipsec servers.


Your laptop is also running OpenBSD?


Nop. It is a CentOS 7.x




  In your opinion, what is the best option: rdomains or mpath? In both
cases I see one problem: I have only one external interface. How to
deal with this?


You really, really need multiple default gateways?



Yes because sometimes I will need two or more tunX interfaces up 
(created by openvpn or openconnect) or enc interface.


 Because if you only

need to access some networks behind the OpenVPN/IPsec servers, wouldn't
it be easier if you got the routes to these networks and their
respective gateways from the OpenBSD firewall? If you are using dhcpd,
then it can send custom routes to your machine. There is one caveat
though, it should also send a default route. Something like this should do:

        host laptop {
             option classless-static-routes <net> <gw>, <net> <gw>,
0.0.0.0/0 <gw>;
             hardware ethernet xx:xx:xx:xx:xx:xx;
             fixed-address x.x.x.x; #optional
        }



In the case of openconnect and openvpn, IP's are served by the gateways 
(out of my control). With IPSec tunnels, I use fixed ips in 
configuration files.




With this you only need to deal with pass rules on your pf.conf, and you
can selectively send the routes you want only to specific clients. Now,
about mpath or rdomain, mpath is for configuring multiple default
gateways for connections originating from the OpenBSD firewall itself.



All tunnels will be generated by this OpenBSD vm, not from my CentOS 
host os.




For connections coming from the machines behind it, you only need
route-to rules on your pf.conf, no need for configuring the multiple
default gateways on the OpenBSD machine, unless you want to keep ntpd
running,



Well, due to this is a vm, I need to keep OpenBSD synced. Yes, I run 
ntpd in this vm.



In this case I find that using mpath along side with ifstated, it's
easier than use rdomain. Specially if your network layout is simple.



But, ifstated is not need it in this scenario. If some of the tunnels 
goes down, I will loose some connections, but other connections will 
keep alive, for example DNS requests to our internal servers. Meanwhile 
I don't loose default gateway in the primary routing table, I can live 
with it.
























					Reply via email to