From owner-freebsd-pf@FreeBSD.ORG Wed Sep 24 13:37:01 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 308F0CB2 for ; Wed, 24 Sep 2014 13:37:01 +0000 (UTC) Received: from ae-mail.austinenergy.com (smtp.austinenergy.com [162.89.23.25]) by mx1.freebsd.org (Postfix) with ESMTP id E8BC7C98 for ; Wed, 24 Sep 2014 13:36:59 +0000 (UTC) Received: from ae-pexch02.aenetad.net ([fe80::80b3:cfa8:7417:7812]) by AE-PEXCH01.aenetad.net ([fe80::d87b:541:2c83:1292%29]) with mapi id 14.03.0181.006; Wed, 24 Sep 2014 08:35:53 -0500 From: "Nagle, Edwin (James)" To: "freebsd-pf@freebsd.org" Subject: Source based routing Thread-Topic: Source based routing Thread-Index: Ac/X/HhmW9sU0d9kSjKNV1NokwiELg== Date: Wed, 24 Sep 2014 13:35:53 +0000 Message-ID: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.10.207.22] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2014 13:37:01 -0000 Hi all, I'm trying to accomplish something that I think should be pretty simple, bu= t cannot figure out how to do... Here is my scenario: I am building a remote access server which will accept ssh connections on t= hree private IP addresses in the same subnet. The users coming in will nee= d to have their IP sourced from the same IP as they arrived on because curr= ent infrastructure is in place to firewall and segment those connections to= prevent unauthorized access to assets. Incoming access will be controlled= by radius based on IP address. Outbound traffic will be controlled via an= external firewall based on IP address (thus the need to lock users to the = IP address they arrive on). The server has four interfaces configured, the physical interface (bce0) an= d three virtual (tap0, tap1, tap2). I have rebuilt my kernel to allow NAT in PF as well as multiple routing tab= les. I found a good article which describes source based routing with mult= iple routing tables but I think my problem stems from having all the IP add= resses on the same network subnet. I have successfully been able to have t= he outbound NAT to a single IP but I'm still unclear on how PF works so I'm= basically mucking around trying to find something that works (please forgi= ve my ignorance): My current pf.conf: nat on ! tap0 from any to any port ssh -> 10.1.9.59 nat on ! tap1 from any to any port ssh -> 10.1.9.60 nat on ! tap2 from any to any port ssh -> 10.1.9.61 All outbound traffic now translates to 10.1.9.59 regardless of which IP I a= rrived on. I need to basically match the incoming IP and nat outbound TCP = 22 traffic across the same IP. Anyone have any ideas or suggestions as to how to accomplish this? Many thanks in advance for any guidance. James