5 interfaces, 2 gateways - routing issues - BSD

This is a discussion on 5 interfaces, 2 gateways - routing issues - BSD ; Hi, just took over the task to administrate a corporate network and seems now I reached the point where I cannot get any further myself. old status: 2 internal networks (sis0, sis2) 1 wireless network (sis1) 1 external interface, default ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: 5 interfaces, 2 gateways - routing issues

  1. 5 interfaces, 2 gateways - routing issues

    Hi,

    just took over the task to administrate a corporate network and seems
    now I reached the point where I cannot get any further myself.

    old status:
    2 internal networks (sis0, sis2)
    1 wireless network (sis1)
    1 external interface, default gate (fxp0)
    (everything with non local destination gets nat and routed via fxp0)

    new status:
    2 internal networks (sis0, sis2)
    1 wireless network (sis1)
    1 external interface, default gate (fxp0)
    1 external interface (sis3)
    (everything with non local destination gets nat and routed via fxp0,
    except sis0 and sis3,
    everyhting from sis0 and sis3 with non local destination gets nat and
    routed via sis3)

    How do I do this?

    What did I try:
    Of course I added the interface sis3.
    I tried to add the following to my pf.conf:
    ---snip---
    nat on fxp0 from sis1:network to any -> fxp0
    nat on fxp0 from sis2:network to any -> fxp0
    nat on sis3 from sis0:network to any -> sis3
    #nat on $ext_if from !$ext_if -> $ext_if:0 (old rule)

    pass in quick on sis3 proto tcp to sis3 port $allowed_tcp_ports flags
    S/SA keep state
    pass in quick on sis3 proto udp to sis3 port $allowed_udp_ports keep
    state
    ---snip---
    I've also added the route from the internal network sis0 to the
    external interface sis3:
    route add -net $NetOnSis0 $ExternalIp

    What am I missing?

    Thanks in advance,
    Thoralf


  2. Re: 5 interfaces, 2 gateways - routing issues

    Thoralf Will wrote:
    > Hi,
    >
    > just took over the task to administrate a corporate network and seems
    > now I reached the point where I cannot get any further myself.
    >
    > old status:
    > 2 internal networks (sis0, sis2)
    > 1 wireless network (sis1)
    > 1 external interface, default gate (fxp0)
    > (everything with non local destination gets nat and routed via fxp0)
    >
    > new status:
    > 2 internal networks (sis0, sis2)
    > 1 wireless network (sis1)
    > 1 external interface, default gate (fxp0)
    > 1 external interface (sis3)
    > (everything with non local destination gets nat and routed via fxp0,
    > except sis0 and sis3,
    > everyhting from sis0 and sis3 with non local destination gets nat and
    > routed via sis3)
    >
    > How do I do this?


    'Not at all' would probably be the best advice. Do you really want to
    use two outgoing interfaces, one of which is connected to yet another
    internal network?

    > What did I try:
    > Of course I added the interface sis3.
    > I tried to add the following to my pf.conf:
    > ---snip---
    > nat on fxp0 from sis1:network to any -> fxp0
    > nat on fxp0 from sis2:network to any -> fxp0
    > nat on sis3 from sis0:network to any -> sis3


    Shouldn't that be (untested; adding ! , per your description
    above)

    int1_if=sis0
    int2_if=sis2
    wl_if=sis1
    ext1_if=fxp0
    ext2_if=sis3

    local_to_ext1_if=$int2_if $wl_if
    local_to_ext2_if=$int1_if
    table const { $int2_if:network $wl_if:network }
    table const { $int1_if:network }
    table const { $int1_if:network $int2_if:network $wl_if:network }

    nat on $ext1_if from to ! -> $ext1_if
    nat on $ext2_if from to ! -> $ext2_if

    > #nat on $ext_if from !$ext_if -> $ext_if:0 (old rule)
    >
    > pass in quick on sis3 proto tcp to sis3 port $allowed_tcp_ports flags
    > S/SA keep state
    > pass in quick on sis3 proto udp to sis3 port $allowed_udp_ports keep
    > state


    # Separate rules for
    # ...

    # General rules for outgoing traffic; note that 'flags S/SA' is the
    # default as of 4.1.
    pass in quick on { $local_to_ext1_if } proto tcp to ! port \
    { $allowed_outgoing_tcp_ports } keep state
    pass in quick on { $local_to_ext2_if } route-to $ext2_if proto tcp \
    to ! port { $allowed_outgoing_tcp_ports} keep state

    This does not handle the requirement to NAT stuff from the network
    attached to sis3; do you really want to do it that way? It's much
    cleaner just to use one external interface and one interface for the
    network attached to sis3.

    > ---snip---
    > I've also added the route from the internal network sis0 to the
    > external interface sis3:
    > route add -net $NetOnSis0 $ExternalIp


    You don't want to do that (it routes traffic to sis0:network via
    $Externally).

    Joachim

+ Reply to Thread