[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf bridging redirection



Hello,

Your problem is one that can be solved by throwing hardware at the problem, even though there might be a more elegant way to do it (if I knew that, I'd tell you). First I'll tell you what I have set up, and you can see if this approach will work for you.

My physical layout looks like this:

[GW]
|
==================
| switch |
==================
| |
========================
| if0 | bridge0 |
| IP A |(if1 if2 if3) |
======================== |
==================
| switch |
==================
| | ======= =======
|IP B | |IP C |
======= =======


pf rules:
rdr inet proto tcp from any to (if0) port = 80 -> { IP B, IP C } port 80 round-robin

Incoming traffic goes to IP A first, which is not included in bridge0.  It hits PF's redirection rules, which rewrite the dst header in the IP packet, then forwards the packet back out on if0 (since it wants to route it to the closest-matching network interface).  Since it's forwarding the packet, OpenBSD uses ARP to find the destination MAC address and updates it accordingly.  The packet hits the switch, then heads into bridge0 and to the final destination.

When the destination host responds, it will ARP for the gateway, get the gateway's MAC address, and send the frame.  Since it travels through the bridge, PF will see it again, match TCP state, and rewrite the IP information before passing it along to the gateway.

In your case, you could add another 10BaseT card, assign a third IP to it, and redirect all incoming traffic to that virtual IP address as you see fit.

Jon


Steve R wrote:

Okay I drew a nice little picture for this, and put up a page but its hosted
@home so I don't want to get slaughtered so I'll type it all here.


My Gateway
IP: 1.1.1.1
MAC: 11:11:11:11:11:11

connects via 10mbps to my OpenBSD box.

OpenBSD
NO IP:
Multihomed
MAC 1: AA:AA:AA:AA:AA:AA
MAC 2: BB:BB:BB:BB:BB:BB

connects to a hub, which connects

Linux Debian
IP: 1.1.1.2
MAC: 22:22:22:22:22:22

Windows 2000
IP: 1.1.1.3
MAC: 33:33:33:33:33:33

The important thing here is that OBSD is NOT Routing between networks,
I don't have two networks to route between, unless I go with NAT.
Please keep an open mind, NAT is NOT what I want, so please don't suggest it.
The OpenBSD system is running OBSD 3.4 with pf.


Anyway so basically my OpenBSD machine is a bridge, and pf filters packets out
transparently, and all is well an good. Except that I would like to use the redirection
features of pf.


The main goal of this, is that 1.1.1.2 is a live IP that has my domain hosted on it. I'd like
to cut up the services offered by it to some windows, some linux. But still have each there own
public ip address, so that there can be overlap, hence NAT won't work.


I'll give you an example, lets say someone wants to ssh to my system, they could go
ssh 1.1.1.2 anywhere on the net, and it would connect them, if my pf rules allowed it.
Lets say my domain points to the windows machine, so domain.com -> 1.1.1.3. I'd like
to have ssh domain.com take you to 1.1.1.2 anyway, but everything else to send you to
the windows machine.


So something like this would work,
rdr pass on ep0 proto tcp from any to 1.1.1.3 port 22 -> 1.1.1.2 port 22
And actually it does work, it 98% of cases, and kudos to the pf man page, and the pf
HOWTO, and all the people who told me to go read it, when it didn't work.


However THIS DOESN'T work, when you make the connection the target machine never
answers. After much aggrivation, and getting told to read the manual again and again, it hit me.
It is working, its working perfectly. When I send the packet in, it gets rewritten and sent back out.
EXCEPT that because my OBSD box is a bridge and not a router, the MAC address needs to
be changed too, because, my Gateway sent the packet to the Windows Machine's MAC, not even
my gateway. I have verified this with tcpdump's ether host filter.


Unfortunately I need something like this,

// rdr pass on ep0 proto tcp from any to 1.1.1.3 port 22 -> 1.1.1.2 port 22 dst ether 33:33:33:33:33:33

This seems to be a pipe dream however, http://archives.neohapsis.com/archives/openbsd/2002-06/0513.html
One of the reasons NAT won't work is that they both are SMTP, and DNS servers, that and there is already
an internal network to communicate on, but I need to keep these machines public.


Steve



Visit your host, monkey.org