Date: Wed, 24 Sep 2014 16:18:13 +0200 From: Oliver Peter <lists@peter.de.com> To: "Nagle, Edwin (James)" <Edwin.Nagle@austinenergy.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Source based routing Message-ID: <20140924141813.GA14170@mail.opdns.de> In-Reply-To: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net> References: <27DBC528FBF8094FA7247CC9A0A5C85F02A6A1FE@AE-PEXCH02.aenetad.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Sep 24, 2014 at 01:35:53PM +0000, Nagle, Edwin (James) wrote:
> Hi all,
>=20
> I'm trying to accomplish something that I think should be pretty simple, =
but cannot figure out how to do... Here is my scenario:
>=20
> I am building a remote access server which will accept ssh connections on=
three private IP addresses in the same subnet. The users coming in will n=
eed to have their IP sourced from the same IP as they arrived on because cu=
rrent infrastructure is in place to firewall and segment those connections =
to prevent unauthorized access to assets. Incoming access will be controll=
ed by radius based on IP address. Outbound traffic will be controlled via =
an external firewall based on IP address (thus the need to lock users to th=
e IP address they arrive on).
>=20
> The server has four interfaces configured, the physical interface (bce0) =
and three virtual (tap0, tap1, tap2).
>=20
> I have rebuilt my kernel to allow NAT in PF as well as multiple routing t=
ables. I found a good article which describes source based routing with mu=
ltiple routing tables but I think my problem stems from having all the IP a=
ddresses on the same network subnet. I have successfully been able to have=
the outbound NAT to a single IP but I'm still unclear on how PF works so I=
'm basically mucking around trying to find something that works (please for=
give my ignorance):
>=20
> My current pf.conf:
>=20
> nat on ! tap0 from any to any port ssh -> 10.1.9.59
> nat on ! tap1 from any to any port ssh -> 10.1.9.60
> nat on ! tap2 from any to any port ssh -> 10.1.9.61
>=20
> All outbound traffic now translates to 10.1.9.59 regardless of which IP I=
arrived on. I need to basically match the incoming IP and nat outbound TC=
P 22 traffic across the same IP.
>=20
> Anyone have any ideas or suggestions as to how to accomplish this?
Checkout the Routing section in pf.conf and give 'route-to' a try,
example for outgoing traffic could be:
pass out log quick on $ext_if route-to tap0 from (tap0:network) to =
any port ssh
--=20
Oliver PETER oliver@gfuzz.de 0x456D688F
--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlQi0qUACgkQ6LH/IUVtaI8gywCfVocpx6o0WU+eMuNyAGjwxTJc
v2QAn2aYQWAzUmRTZAh7e/cGfWoet4Sh
=CFiR
-----END PGP SIGNATURE-----
--YZ5djTAD1cGYuMQK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140924141813.GA14170>