On Sun, Jan 22, 2023 at 10:25:13AM +0100, Hrvoje Popovski wrote:
> On 22.1.2023. 3:27, Scott Colby wrote:
> > Hello,
> >
> > I am trying to set up a router with a fresh install of OpenBSD 7.2,
> > and I'm having a hard time grokking how to use veb.
> >
> > I have organized my network into 4 subnets:
> >
> > - DHCP "WAN"
> > - 192.168.0.0/24 "LAN"
> > - 192.168.2.0/24 "IOT"
> > - 192.168.3.0/24 "Guest"
> >
> > My computer has 4 interfaces em{0..3} and my desired setup has the
> > following qualities:
> > - em0 is the WAN uplink with DHCP
> > - em1 is the uplink to my WAP and carries all 3 internal networks,
> > with "LAN" untagged and "IOT" and "Guest" tagged as VLAN 1102
> > and 1103, respectively
> > - em2 carries only "LAN", untagged
> > - em3 carries only "IOT", untagged
> >
> > I think I should have configuration files like:
> > hostname.em0:
> > inet autoconf
> >
> > hostname.em{1..3}:
> > up
> >
> > hostname.veb0:
> > add em1
> > add em2
> > add em3
> > add vport0 # ??
> > add vport1 # ??
> > up
> >
> > As for the vlan and vport interfaces, I have no idea.
> >
> > After this, of course, I will want to do some filtering with pf
> > (such as hosts on "IOT" and "Guest" not having access to hosts on
> > "LAN.")
> >
it sounds like you already understand using different interfaces
and subnets to separate/isolate classes of devices on different
networks. your problem is that the same class of network exists on
multiple interfaces on your router.
you could solve this problem by adding more subnets, one for each
interface rather than one per device class, and then applying the
policy to groups of interfaces. eg:
## hostname.em1:
description "LAN Wifi"
group lan
inet 192.168.10.1/24
## hostname.vlan1102
parent em1
vnetid 1102
description "IOT WiFi"
group iot
inet 192.168.12.1/24
up
## hostname.vlan1103
parent em1
vnetid 1103
description "Guest Wifi"
group guest
inet 192.168.13.1/24
up
## hostname.em2
description "LAN Ethernet"
group lan
inet 192.168.0.1/24
up
u
## hostname.em3
description "IOT Ethernet"
group iot
inet 192.168.2.1/24
then you can write rules using interface groups to apply policy instead
of ip addresses. eg, to block the guest and iot networks from talking to
the lan network:
block out quick on lan any received-on guest
block out quick on lan any received-on iot
however, you're asking about how to join the interfaces together at the
layer 2 level and keep a single layer 3 interface facing each of those
classes of network, which is what hrvoje has written config for below.
> Didn't test this but maybe something like this
yep.
the idea is that separate vebs are isolated like the traffic on
separate vlan interfaces is isolated. you create a veb per class
of device, and add the physical interfaces that face those classes
to their respective vebs. the vebs then only allow layer 2 communication
between the ports, so you add the vports to plug the IP stack on
the firewall into those networks and allow routing and pf between
them.
> hostname.em0
description WAN
> inet autoconf
>
> hostname.em1
description "LAN Wifi"
> up
>
> hostname.em2
description "LAN Ethernet"
> up
>
> hostname.em3
description "IOT Ethernet"
> up
>
> hostname.vport1
description "LAN"
> inet X.X.X.X/XX <- gateway for LAN
>
> hostname.veb1
description "LAN"
> link1
you don't want to enable link1 unless you want pf to filter traffic on
the veb ports, and then you have to be careful to avoid having pf see
the packet again on the vport1 interface.
> add em1
> add em2
> add vport1
> up
>
> hostname.vlan1102
> parent em1
> vnetid 1102
description "IOT WiFi"
> up
>
> hostname.vport2
description "IOT"
> address X.X.X.X/XX <- gateway for IOT
>
> hostname.veb2
description "IOT"
> link1
same here, don't set link1
> add vlan1102
> add em3
> add vport2
> up
>
> hostname.vlan1103
> parent em1
> vnetid 1103
description "Guest Wifi"
> address X.X.X.X/XX <- gateway for Guest
> up
>
>
> if this is working than you can use pf to filter traffic between networks.
>
> man veb
> man ifconfig and search for VEB
>
>
> > My questions are thus:
> > 1) What is the proper network configuration to achieve the above
> > goal?
> > 2) What is the right way to filter packets transiting between subnets
> > in this configuration? I see in the man page that the directionality
> > of packets emerging from a veb to the network stack is not normal.
> > I've seen things with adding groups to the interfaces, but not
> > sure what that gets me that using interface names in pf.conf
> > doesn't.
Unless you enable link1 on the veb interfaces, you don't have to worry
about pf and direction. Without link1, pf will only run on the vport
interfaces when traffic is routed between the different subnets.
> >
> >
> > Thanks in advance for any help that you can provide!
> >
> > Scott
> >
>
