From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 13:45:15 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A984106564A for ; Wed, 16 Feb 2011 13:45:15 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 956308FC13 for ; Wed, 16 Feb 2011 13:45:14 +0000 (UTC) Received: by bwz12 with SMTP id 12so1468331bwz.13 for ; Wed, 16 Feb 2011 05:45:13 -0800 (PST) Received: by 10.204.126.147 with SMTP id c19mr498510bks.127.1297863913235; Wed, 16 Feb 2011 05:45:13 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id 12sm150094bki.7.2011.02.16.05.45.11 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 05:45:12 -0800 (PST) Message-ID: <4D5BD4E6.90605@my.gd> Date: Wed, 16 Feb 2011 14:45:10 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <00a401cbcd3d$fe313d10$fa93b730$@com> In-Reply-To: <00a401cbcd3d$fe313d10$fa93b730$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 13:45:15 -0000 On 2/15/11 7:27 PM, kevin wrote: > I have a generally simplistic question about a potential scenario for a > FreeBSD PF with multiple gateways/routes. > > > > The backend network would not consist of local or private ip addresses - > every device will have a public IP. There will be about 7 public subnets > that will be handled by the freebsd PF gateway. > We've had to address a pretty similar problematic not very long ago. Let's say: Your PF box has a default gateway Z.Z.Z.Z Your PF box receives a packet from IP X.X.X.X on IP A.A.A.254 for network A.A.A.A/P and routes it. Your PF box receives the answer from the A.A.A.A/P network, and routes the packet *through it's default gateway* Z.Z.Z.Z The question is, do you have multiple upstream interconnections ? If you received the packet from another router than Z.Z.Z.Z, you'll still be routing it back through Z.Z.Z.Z => asymmetric routing => BAD Instead of: EXTERNAL <===> PF <===> DESTINATION You'd be looking at: EXTERNAL ====> PF ====> DESTINATION ====> PF ====> DEFAULTGW ====> EXTERNAL To work around this problem, we use "reply-to" rules here. Then depending on what interface the packet arrived on, we route it back through the correct gateway. The problem with this is as your number of interconnections increases, you have a harder time managing your pf conf. You basically have a duplicate rule for each interconnection, with just the reply-to parameters changing. If you have only 1 upstream interconnection, this won't be a problem for you. I'm not sure there is another approach but if there is, I haven't seen it yet -.- > > What would be the ideal configuration for this scenario? Would I need to > configure all 7 subnets as persistate routes in rc.conf, and then have a nat > directive in pf for each subnet as well? I realize this question is > simplistic in nature, but I have only used pf in a public -> private network > scenario. > Wait do you want to route or to NAT ? If you NAT, be aware that your clients on the public networks you serve will only ever see requests coming from *your PF* 's IPs. I'm pretty sure this is not what you want. > > > My concerns are just maintaining this moving forward. As I grow and add more > public subnets , I want to keep managing and maintaining the configuration > easy, if possible. > > > > So in rc.conf : > > > > static_routes="net1 net2 net3 net4 net5 net6 net7" > > route_net1="-net b.b.b.b/a.a.a.a.a" > > route_net2="-net c.c.c.c/a.a.a.a.a" > > route_net3="-net d.d.d.d/a.a.a.a.a" > > route_net4="-net e.e.e.e/a.a.a.a.a" > > route_net5="-net f.f.f.f/a.a.a.a.a" > > route_net6="-net g.g.g.g/a.a.a.a.a" > > route_net7="-net h.h.h.h/a.a.a.a.a" > > > > > > "a.a.a.a" would be the gateway for one of the 7 subnets. Each subnet should > have its own gateway that this freebsd router can route too from inside > > outside. Should the freebsd gateway have a gateway ip for each subnet > itself? > > > > Taken my scenario at face value - what would the best way to configure the > PF / Gateway? Keeping in mind that all ips are going to be public ips. > > I think it all depends on whether you have multiple upstream connections or not, as I pointed out above. If you don't, that would be the simplest way indeed. If you do, I can see the asymmetric routing problem rearing its head... > > > > If more information is required , please let me know. This is FreeBSD > 8.0-RELEASE i386. > > > > Thanks! > > > > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"