AskOBSDJ: Routing for IP aliases in different subnets

Contributed by Dengue on 2004-01-18 from the natsturbation dept.

Tom Carpenter writes : "I'm building up a system to run OpenBSD v3.4 and act as a NAT gateway for multiple private network (RFC 1918) subnets. There is one internal interface configured with three private addresses: aaa.aaa.aaa.aaa, ddd.ddd.ddd.ddd, and ggg.ggg.ggg.ggg. There is one external interface configured with three public addresses: bbb.bbb.bbb.bbb, eee.eee.eee.eee, hhh.hhh.hhh.hhh; the public networks all share the same wire. The private addresses are NATed to public addresses as follows:
aaa.aaa.aaa.aaa --> bbb.bbb.bbb.bbb ddd.ddd.ddd.ddd --> eee.eee.eee.eee ggg.ggg.ggg.ggg --> hhh.hhh.hhh.hhh bbb.bbb.bbb.bbb should use gateway ccc.ccc.ccc.ccc eee.eee.eee.eee should use gateway fff.fff.fff.fff hhh.hhh.hhh.hhh should use gateway iii.iii.iii.iii.
The question is, how do I ensure that traffic from bbb.bbb.bbb.bbb, destined for addresses outside of the subnet bbb.bbb.bbb.bbb is in, is sent to ccc.ccc.ccc.ccc (ibid eee.eee.eee.eee --> fff.fff.fff.fff AND hhh.hhh.hhh.hhh --> iii.iii.iii.iii)? Is this a job for the "route-to" option in pf or do I need to run something like routed, gated, or the like?
-Tom C."

This makes me shudder at the thought of troubleshooting this setup. Any help for Tom out there?

(Comments are closed)

Comments

By Christopher Kruslicky () on 2004-01-18 11:58

I'm not sure if route-to works within nat rules, and if not whether tagging would be quicker than matching the nat'd address... but I don't really see how adding dynamic routing into the mix would help, since you want the next-hop to be based on source not destination IP.
Comments
1. By Anonymous Coward () on 2004-01-19 00:02
  
  While I'm sure it's somehow possible, something tells me that you should invest in a few more NIC's, switches, and cables!
  
  As another commentor has already noted, troubleshooting this would be a nightmare - much better to use 6 NIC's.
By Daniel () on 2004-01-18 18:00

I use a similar setup to load balance/split 3 ADSL connections.

Rather than extra network cards - a good switch with VLAN tagging support allows use of a single (or at least fewer) physical NIC and logical vlan0,... (need to be compiled in the kernel)

=== pf.conf
neta = aaa.aaa.aaa/24
neta_nat = bbb.bbb.bbb.bbb
neta_gw = ccc.ccc.ccc.ccc
netd = ddd.ddd.ddd/24
netd_nat = eee.eee.eee.eee
netd_gw = fff.fff.fff.fff
netg = ggg.ggg.ggg/24
netg_nat = hhh.hhh.hhh.hhh
netg_gw = ggg.ggg.ggg.ggg

table = { $neta $netd $netg }
int_if = fxp0
ext_if = fxp1

nat on $ext_if from $neta -> $neta_nat
nat on $ext_if from $netd -> $netd_nat
nat on $ext_if from $netg -> $netg_nat
pass in on $int_if route-to ($ext_if $neta_gw)
from $neta to ! keep state
pass in on $int_if route-to ($ext_if $netd_gw)
from $netd to ! keep state
pass in on $int_if route-to ($ext_if $netg_gw)
from $netg to ! keep state

=== note
if you use rdr or binat for a host on the LAN to be accessed from external, you will need to also use reply-to rules
Comments
1. By Daniel () on 2004-01-18 20:53
  
  the table names in my last post were removed in 4 lines (i should have selected HTML?)
  
  in the following, replace X with 'less than', Y with 'greater than'
  
  table Xlan_netsY = { ...
  ...
  from $neta to ! Xlan_netsY keep state
  
  netg_gw = iii.iii.iii.iii
By Daniel Tams () dantams at sdf-eu.org on 2004-01-19 03:42 mailto:dantams at sdf-eu.org

You might want to take a look at the example given in the pf FAQ http://openbsd.org/faq/pf/pools.html
By Matt Van Mater () on 2004-01-19 13:26

I agree with some other people that the least complicated way to do this would be to have 6 nics in the box and be done with it (much less complexity and troubleshooting). If you're doing this for gee whiz lets see if i can do it that is another thing...

My question is this, does obsd have any support for those nifty multi-nic cards? I'm talking about the PCI nics that have 4 1/100 ports built into them. Using these quad nic cards you could really make a hell of a gateway box and implement a fairly complex network. I know they're a little off the wall hardware wise and I haven't heard if they're supported or not.
Comments
1. By Anonymous Coward () on 2004-01-20 08:08
  
  They're not really off the wall, just a PCI bridge and a couple of ethernet. I haven't personally seen 4-port operating, but 2-port fxp are working fine. As long as the bridge and ethernet chips are supported there should be no trouble.
2. By Alexander Grekhov () grekhov@wgukraine.com on 2004-01-20 08:35 mailto:grekhov@wgukraine.com
  
  I agree with some other people that the least complicated way to do this would be to have 6 nics in the box and be done with it (much less complexity and troubleshooting)
  Frankly I do not see how using VLANs instead of physical interfaces makes things more complicated. Your interfaces will be just named differently, that's all. As long as you know what you are doing you should be fine.
  Now, if more bandwith between the internal LANs is needed, that's where I can justify using extra physical interfaces.
3. By Sedat Doğru () sdogru on 2004-01-20 09:42 mailto:sdogru
  
  Yes, OpenBSD has support for multi-nic cards. We have an UltraSparc II with a NIC with five ports. The Sparc is working as a firewall, currently using only three NICs. And the installation is quite simple: you just install OpenBSD and it is done.
4. By Anonymous Coward () on 2004-01-21 08:38
  
  I've used quad fxps in a firewall implementation. OpenBSD 2.8 I think. Works great.
  Comments
  1. By Anonymous Coward () on 2004-01-21 10:48
    
    2.8??? Isn't it about time to upgrade?
    
    2.8 is well before the (in)famous ssh hole, so you're still vulnerable, unless ssh is disabled of course.
    
    Comments
    
    By Anonymous Coward () on 2004-01-22 18:17
    
    "I've _used_ (..)"

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]