[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf/nat question: Two internet connections - separating outgoing packets per port number?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pf/nat question: Two internet connections - separating outgoing packets per port number?
From: Jon Radel <jon_(_at_)_radel_(_dot_)_com>
Date: Mon, 13 Dec 2004 15:31:48 -0500
Cc: Rickard Borgmäster <doktorn_(_at_)_realworld_(_dot_)_nu>

Should be completely doable. I just suspect you're going to have to use somewhat different config statements. :-)

I do something very similar where my default route is out my T-1, which is where I want all the important traffic to go. However, I want my bittorrent sessions to go across a cable modem I also have. The statements of greatest interest from my config are:

nat on $pt_ext_if from $int_addr to any -> $pt_ext_addr
nat on $cox_ext_if from $int_addr to any -> $cox_ext_addr

pass in on $int_if route-to ($cox_ext_if $cox_ext_gw) proto tcp from $torrent_client \ to any port 6881:6889 keep state

In other words, depend on kernel routing for the default cases, NAT appropriately on all the external interfaces, and then use "route-to" on anything you want to do policy routing on as it arrives on the internal interface. Making that routing determination as it leaves the external interface is a touch late.

That should give you enough to get started.

[For people reading along in detail, yes I know that doesn't catch all bittorrent connections. It gets enough of them for me. I welcome suggestions on improvements. :-) ]

--Jon Radel
jon_(_at_)_radel_(_dot_)_com

Rickard Borgmäster wrote:

Hi,

This issue has for sure been discussed a few times. Didn't find anything
in the archives matching my exact question though.

This is the case:

A friend of mine, living in a dorm room with 10Mit Half-duplex internet
access. Since the connection is halv duplex, it isn't a good idea to play
<whatever online shoot-em-up game> while downloading a huge file on FTP.
His neighbor, in the room next to his, also a frequent gamer, thought that
there must be a solution. So the asked me if I knew of any.

What I thought of, is if it would be possible to utilise both of their
Internet connections. Using one for online gaming, and the other for
<the rest>. Example:

OpenBSD FW with 3 interfaces:
ext0 -> Internet Connection 1
ext1 -> Internet Connection 2
int0 -> Internal network with NAT

If we then assume that <whatever online game> connects to port 5000 on the
game server, the pf nat rules could look like this:

nat on ext0 from 192.168.0.0/24 to any port 5000 -> ($ext0_ip)
nat on ext1 from 192.168.0.0/24 to any -> ($ext1_ip)

The hour is a bit late, but to me this seems fine. If the destination port
is 5000, put out the packet using ext0 (using ext0 ip as sender), else use
ext1 (using ext1 ip as sender). Both of these connections use the same
router (as it is a dorm LAN), so only one default gateway would need to be
set in the OpenBSD configuration.

What do you think of this? Could it work or am I going to spend my time
with something undoable trying to set this up?

References:
- pf/nat question: Two internet connections - separating outgoing packets per port number?
  - From: Rickard Borgmäster

Prev by Date: Re: Grrrrr -- I give up
Next by Date: Re: kerberos V and OBSD
Previous by thread: pf/nat question: Two internet connections - separating outgoing packets per port number?
Next by thread: Re: Grrrrr -- I give up
Index(es):
- Date
- Thread

Visit your host, monkey.org