LinuxQuestions.org - PF, two Internet connections, and servers

- *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)

- - PF, two Internet connections, and servers (https://www.linuxquestions.org/questions/%2Absd-17/pf-two-internet-connections-and-servers-416252/)

PF, two Internet connections, and servers

I have two network connections in my dorm room, and would like to set up my OpenBSD router to use them both (the box has three NICs). I would like most of my traffic to be routed through one of the connections, and use the other for my Webserver. Here is a copy of my pf.conf I have been playing around with for this:

Code:

# macros

int_if = "rl0"

ext_if1 = "dc0"

ext_if2 = "rl1"



tcp_services = "{ 22, 113 }"

icmp_types = "echoreq"



priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"



webserver = "192.168.2.1"

desktop = "192.168.2.3"



# options

set block-policy drop

set loginterface $ext_if1



# scrub

scrub in all



# nat/rdr

nat on $ext_if1 from $int_if:network to any -> ($ext_if1)

nat on $ext_if2 from $int_if:network to any -> ($ext_if2)

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \

  port 8021

rdr on $ext_if2 proto tcp from any to ($ext_if2) port 80 -> $webserver

rdr pass on $ext_if1 proto { tcp, udp } from any to ($ext_if1) port 7500 -> $desktop

rdr on $ext_if1 proto tcp from any to ($ext_if1) port 6881 -> $desktop

rdr on $ext_if1 proto tcp from any to ($ext_if1) port 5190 -> $desktop



# filter rules

block all



pass quick on lo0 all



block drop in on $ext_if1 from $priv_nets to any

block drop out on $ext_if1 from any to $priv_nets



block drop in on $ext_if2 from $priv_nets to any

block drop out on $ext_if2 from any to $priv_nets



pass in on $ext_if1 inet proto tcp from any to ($ext_if1) \

  port $tcp_services flags S/SA keep state



#############

#Pass rules for forwarded ports.



#pass in on $ext_if1 proto tcp from any to $webserver port 80 \

#  flags S/SA synproxy state



pass in on $ext_if2 proto tcp from any to ($ext_if2) port 80 \

flags S/SA synproxy state



pass in on $ext_if1 proto tcp from any to $int_if port 7500 \

flags S/SA synproxy state



pass in on $ext_if1 proto udp from any to $int_if port 7500



pass in on $ext_if1 proto tcp from any to ($ext_if1) port 5190 \

flags S/SA synproxy state



pass in on $ext_if1 proto tcp from any to ($ext_if1) port 6881 \

flags S/SA synproxy state



pass in on $ext_if1 inet proto tcp from port 20 to ($ext_if1) \

  user proxy flags S/SA keep state



############



#Let's let OpenVPN traffic through...

pass quick on tun0



############



pass in inet proto icmp all icmp-type $icmp_types keep state



pass in  on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state



pass out on $ext_if1 proto tcp all modulate state flags S/SA

pass out on $ext_if1 proto { tcp, udp, icmp } all keep state



pass out on $ext_if2 proto tcp all modulate state flags S/SA

pass out on $ext_if2 proto { tcp, udp, icmp } all keep state

Basically, I would like to route my Web surfing traffic from my desktop and other general Internet access out through ext_if1, and forward port 80 from ext_if2 to my Webserver. With this pf.conf, I can access the Internet fine through ext_if1, but I am not able to actually forward port 80 from ext_if2 to my Webserver. Any ideas?

OK, I got it to work. Here is my new pf.conf:

[CODE]
# macros
int_if = "rl0"
ext_if1 = "dc0"
ext_if2 = "rl1"

tcp_services = "{ 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

webserver = "192.168.2.1"
desktop = "192.168.2.3"

# options
set block-policy drop
set loginterface $ext_if1

# scrub
scrub in all

# nat/rdr
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if2 proto tcp from any to ($ext_if2) port 80 -> $webserver
rdr pass on $ext_if1 proto { tcp, udp } from any to ($ext_if1) port 7500 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 6881 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 5190 -> $desktop

# filter rules
block all

pass quick on lo0 all

block drop in on $ext_if1 from $priv_nets to any
block drop out on $ext_if1 from any to $priv_nets

block drop in on $ext_if2 from $priv_nets to any
block drop out on $ext_if2 from any to $priv_nets

pass in on $ext_if1 inet proto tcp from any to ($ext_if1) \
port $tcp_services flags S/SA keep state

#############
#Pass rules for forwarded ports.

pass in quick on $ext_if2 proto tcp from any to any port 80 \
flags S/SA modulate state

pass in on $ext_if1 proto tcp from any to $int_if port 7500 \
flags S/SA synproxy state

pass in on $ext_if1 proto udp from any to $int_if port 7500

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 5190 \
flags S/SA synproxy state

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 6881 \
flags S/SA synproxy state

pass in on $ext_if1 inet proto tcp from port 20 to ($ext_if1) \
user proxy flags S/SA keep state

############

#Let's let OpenVPN traffic through...
pass quick on tun0

############

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if1 proto { tcp, udp, icmp } from any to any flags S/SA modulate state

pass out on $ext_if2 proto { tcp, udp, icmp } from any to any flags S/SA modulate state
[CODE]