*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been running OpenBSD's pf firewall for a while but I don't know how to do something, or even if it's possible.
Basically, here's the deal: I have dual internet connections. I want some traffic to go through one, and some to go through the other. For example, I want all traffic that goes to IP address 100.100.100.100 to go through axe0, and the rest of the traffic to go through bge0.
You're probably right. I'm a sys admin not a network admin so the finer details of networking escape me. :c)
It seems like changing the routing table would work for the OpenBSD box, but I think pf would be required for making the change on the rest of the clients, right? Some sort of match command like:
Code:
match out on egress inet from !(egress:network) to 100.100.100.100 nat-to axe0
You're probably right. I'm a sys admin not a network admin so the finer details of networking escape me. :c)
It seems like changing the routing table would work for the OpenBSD box, but I think pf would be required for making the change on the rest of the clients, right? Some sort of match command like:
Code:
match out on egress inet from !(egress:network) to 100.100.100.100 nat-to axe0
OK, you have now changed the question.
On a server, you specify what NIC will handle traffic for a particular subnet using a change in the routing table (use 'route', or the route options in 'ip').
Now tell us about these "clients" of which you speak.
(BTW: every network admin should study the basic network settings in the operating systems they support, and every system admin should study the basics of TCPIP networking. We all end up deep into both for much of our careers.)
Well... a firewall usually isn't all by itself. The clients would be the other computers on the network that are using the OpenBSD firewall to access the internet. I want their traffic to 100.100.100.100 to go through one internet connection (on axe0) and all other traffic to go through bge0. Does that clear things up?
(I do pretty well with layer 2 stuff, it's the layer 3 stuff that stumps me.)
Well... a firewall usually isn't all by itself. The clients would be the other computers on the network that are using the OpenBSD firewall to access the internet. I want their traffic to 100.100.100.100 to go through one internet connection (on axe0) and all other traffic to go through bge0. Does that clear things up?
(I do pretty well with layer 2 stuff, it's the layer 3 stuff that stumps me.)
I see, you are not using pf alone on this, it is acting as firewall to your network.
Since I do not use pf myself, I cannot be certain, but I believe that if you make it route all traffic to that subnet through that interface it should work for all traffic that comes through the machine. A network router should take care of the external routing without the internal hosts needing to be aware of the issue at all.
I'd pore over pf.conf(5) as well as the networking and PF parts of the FAQ. Remember that PF is last-match so general rules would come first. My guess:
Code:
match out on egress inet from !(egress:network) to any nat-to bge0
match out on egress inet from !(egress:network) to 100.100.100.100 nat-to axe0
Edit: if both interfaces are actually in the egress group... Otherwise, you may have to name the source netwwork(s) explicitly instead of !(egress:network).
Last edited by Turbocapitalist; 03-29-2017 at 12:56 PM.
With OpenBSD, there are three ways to manage multiple ISP connections.
Equal Cost Multipath Routing (ECMP). Provisioning guidance is included in the OpenBSD FAQ.
Directed Routing. You can simply allocate portions of the Internet between your two ISPs with routing table entries as discussed previously in this thread. But a much more common practice is to use PF's route-to directive on pass rules, as described in the Routing section of the pf.conf(5) manual.
A third way would be to use multiple routers in combination with the Common Address Redundancy Protocol (CARP). There is an introduction to carp(4) in the PF User's Guide.
Last edited by jggimi; 03-29-2017 at 01:31 PM.
Reason: clarity
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.