I have 2 openbsd 4.5 firewalls running, one in colo, one behind residential cable(firewall has a public on it). I am trying to nat on the colo firewall, a box that is behind the cable connection through a tunnel to allow public IPs from the colo to be used on servers which reside behind a residential cable connection. I am trying to source route on the residential side to get the reply traffic back up to the colo and out.
Normal traffic through the tunnel works fine outside of the servers which are getting natted. The traffic for the servers which are 10.0.0.20, .21 and .22 comes in the colo, gets natted fine(per tcpdump), sent to server, server responds, however in the cable firewall instead of sending the traffic back out the tunnel to the colo, it sends it out the local cable interface. per tcpdump everything looks fine until the reply traffic hits the residential firewall, then doesnt route back up to the colo properly. any suggestions? Thank you, Lawrence I have set up an ipsec tunnel between loopback interfaces, then set up a gre tunnel between the 2 loopbacks. as seen here on the colo side: the other side is the reverse ***from the colo box*** # ipsecctl -s flow flow esp in from 10.254.254.2 to 10.254.254.1 peer $public_ip srcid fire02 dstid fire01 type use flow esp out from 10.254.254.1 to 10.254.254.2 peer $public_ip srcid fire02 dstid fire01 type require # ifconfig lo1 lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204 priority: 0 groups: lo inet 10.254.254.1 netmask 0xffffffff # ifconfig gre0 gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476 priority: 0 groups: gre physical address inet 10.254.254.1 --> 10.254.254.2 inet 10.254.254.5 --> 10.254.254.6 netmask 0xfffffffc inet6 fe80::20c:29ff:fe9e:d536%gre0 -> prefixlen 64 scopeid 0x7 # # route show | grep 10.0.0/24 10.0.0/24 10.254.254.6 UGS 0 1318 - 8 gre0 ***from the residential box*** # pfctl -s rules scrub in on xl0 all fragment reassemble block drop in all block drop in quick from <ssh-attack> to any pass out all flags S/SA keep state pass on gre0 all flags S/SA keep state pass in on xl1 all flags S/SA keep state pass in on xl0 inet proto tcp from any to (xl0) port = ssh flags S/SA synproxy state (source-track rule, max-src-conn-rate 4/30, overload <ssh-attack> flush global, src.track 30) pass in on xl0 inet proto udp from any to (xl0) port = isakmp keep state pass in on xl0 inet proto udp from any to (xl0) port = ipsec-nat-t keep state pass in on xl0 inet proto icmp from any to (xl0) keep state pass in on xl0 inet proto esp from any to (xl0) keep state pass out on xl0 route-to (gre0 10.254.254.5) inet from 10.0.0.20 to any flags S/SA keep state pass out on xl0 route-to (gre0 10.254.254.5) inet from 10.0.0.21 to any flags S/SA keep state pass out on xl0 route-to (gre0 10.254.254.5) inet from 10.0.0.22 to any flags S/SA keep state
