From owner-freebsd-pf@FreeBSD.ORG Wed Sep 24 14:18:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 74DDAB2B for ; Wed, 24 Sep 2014 14:18:28 +0000 (UTC) Received: from elsa.gfuzz.de (unknown [IPv6:2a01:4f8:d16:4386::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F7FE1EC for ; Wed, 24 Sep 2014 14:18:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id B2158E3350; Wed, 24 Sep 2014 16:18:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (elsa.gfuzz.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuLjrcNLslFS; Wed, 24 Sep 2014 16:18:16 +0200 (CEST) Received: from mail.opdns.de (ipbcc192da.dynamic.kabel-deutschland.de [188.193.146.218]) (Authenticated sender: lists@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id 0EEC0E00C1; Wed, 24 Sep 2014 16:18:15 +0200 (CEST) Date: Wed, 24 Sep 2014 16:18:13 +0200 From: Oliver Peter To: "Nagle, Edwin (James)" Subject: Re: Source based routing Message-ID: <20140924141813.GA14170@mail.opdns.de> References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net> X-Operating-System: Linux 2.6.32-29-pve i686 User-Agent: Mutt/1.5.23 (2014-03-12) Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2014 14:18:28 -0000 --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote: > Hi all, >=20 > I'm trying to accomplish something that I think should be pretty simple, = but cannot figure out how to do... Here is my scenario: >=20 > I am building a remote access server which will accept ssh connections on= three private IP addresses in the same subnet. The users coming in will n= eed to have their IP sourced from the same IP as they arrived on because cu= rrent infrastructure is in place to firewall and segment those connections = to prevent unauthorized access to assets. Incoming access will be controll= ed by radius based on IP address. Outbound traffic will be controlled via = an external firewall based on IP address (thus the need to lock users to th= e IP address they arrive on). >=20 > The server has four interfaces configured, the physical interface (bce0) = and three virtual (tap0, tap1, tap2). >=20 > I have rebuilt my kernel to allow NAT in PF as well as multiple routing t= ables. I found a good article which describes source based routing with mu= ltiple routing tables but I think my problem stems from having all the IP a= ddresses on the same network subnet. I have successfully been able to have= the outbound NAT to a single IP but I'm still unclear on how PF works so I= 'm basically mucking around trying to find something that works (please for= give my ignorance): >=20 > My current pf.conf: >=20 > nat on ! tap0 from any to any port ssh -> 10.1.9.59 > nat on ! tap1 from any to any port ssh -> 10.1.9.60 > nat on ! tap2 from any to any port ssh -> 10.1.9.61 >=20 > All outbound traffic now translates to 10.1.9.59 regardless of which IP I= arrived on. I need to basically match the incoming IP and nat outbound TC= P 22 traffic across the same IP. >=20 > Anyone have any ideas or suggestions as to how to accomplish this? Checkout the Routing section in pf.conf and give 'route-to' a try, example for outgoing traffic could be: pass out log quick on $ext_if route-to tap0 from (tap0:network) to = any port ssh --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlQi0qUACgkQ6LH/IUVtaI8gywCfVocpx6o0WU+eMuNyAGjwxTJc v2QAn2aYQWAzUmRTZAh7e/cGfWoet4Sh =CFiR -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK--