I am planning to experiment with veb on my PC Engines apu2e4 board. It
has three ports (em0, 1 and 2). Current configuration has em0 hooked
up to cable modem, while em1 and em2 are internal LAN. I don't have a
good ability to troubleshoot via a serial console, since the apu board
sits in the garage on top of a cabinet -- running serial cable to a
laptop is challenging, though not impossible. So I am looking for
feedback so as to keep this troubleshooting time minimal.
Any feedback is welcome. Configs below. Thanks in avance.
-Amarendra
$ cat hostname.em1
mtu 9000
up
$ cat hostname.em2
mtu 9000
up
$ cat hostname.veb0
add em1
add em2
add vport0
link0
up
$ cat hostname.vport0
inet 192.168.1.1 255.255.255.0 192.168.1.255
mtu 9000
group internal
up
$ cat pf.conf
ruckus= "192.168.1.10"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
# spoof protection
antispoof quick for egress
block in from no-route
block in quick from urpf-failed
# block martians!
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
# default deny
block all
# allow icmp
match in on egress inet proto icmp icmp-type { echoreq } tag ICMP_IN
block drop in on egress proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10
pass in on egress inet proto icmp icmp-type { 3 code 4, 11 code 0}
pass out quick on egress inet from internal nat-to (egress)
pass out quick inet
pass in on internal inet
# block dns queries that are not destined for our dns server.
block return in quick on internal proto { udp tcp } to ! internal port
{ 53 853 }
# block Ruckus AP from "phoning home"
block in quick on internal from $ruckus
