From owner-freebsd-net@freebsd.org Wed Mar 9 11:33:38 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D41A8AC99F2 for ; Wed, 9 Mar 2016 11:33:38 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A27416CB for ; Wed, 9 Mar 2016 11:33:38 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.local (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id 56E3B103B4 for ; Wed, 9 Mar 2016 12:33:27 +0100 (CET) Subject: Re: Source routing howto To: freebsd-net@freebsd.org References: From: Jan Bramkamp Message-ID: <56E00A06.20700@rlwinm.de> Date: Wed, 9 Mar 2016 12:33:26 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 11:33:38 -0000 On 09/03/16 11:29, elof2@sentor.se wrote: > Hi all! > > I've been searching the internet but can't find any good > documentation/examples on how to setup source routing in my FreeBSD. > > What I want to do: > > Let internet clients connect their OpenVPN to a FreeBSD box. The > client's internet traffic should be routed to a separate firewall > dedicated for all client networks (VPN and physical), where all clients > then leave the network. > > The FreeBSD box has its own normal default gateway to speak with the > internet. > This route is needed in order to be able to keep the OpenVPN-traffic > flowing. > > How do I source route the tunneled traffic, coming from e.g. 10.10.10.x > to the "client firewall"? > > Are there any good examples out there? > Do I have to compile a custom kernel? > > (the responses back from that firewall use a normal static route, > pointing 10.10.10.0/24 to the FreeBSD box) Do I understand you correctly that you have a FreeBSD box acting as * OpenVPN endpoint * router * and firewall all in one system and you want use the OpenVPN tunnel as default route for your *other* hosts? In that case what you need is some kind of *policy* based routing. One way to go about it with more than one FIB (aka kernel routing table). The problem is that you have to decide on the routing table to use before performing the route lookup. For packets forwarded through your FreeBSD router you have to select a non default FIB during input filtering e.g. # simple case ipfw add setfib 1 all from any to any in via $lan_if # complex case for multiple interfaces # ipfw table add ipfw table 1 add $lan_if1 1 ipfw table 1 add $lan_if2 2 ipfw table 1 add $lan_if3 2 ipfw table 1 add $lan_if3 2 # ... # lookup routing table number in a table ipfw add setfib tablearg all from any to any via table(1) For traffic generated by your FreeBSD router you can't use the firewall to set the routing table because locally generated traffic only passes through output filtering by which time the routing decision has already happend. Instead you can set a processes default routing table with the setfib(1) utility or use a setsockopt(2) with SO_SETFIB for each socket. Jails can also set default routing table for sockets created inside the jail. Remember that your DNS resolver can leak a lot of information as well if it uses the default routing table. I would avoid policies based on IP addresses and prefer to define policies based on (pseudo-) interfaces e.g. route (and nat?) traffic from vlan123 through the VPN tunnel.