SEO

Hello,

Here is my setup :
A Cable Line on a SOHO Router on 192.168.0.1
A DSL Line on another SOHO Router on 192.168.0.128
some Clients in the 192.168.0.0/24 network
a OpenBSD Server at 192.168.0.4 with his default gateway at 192.168.0.1

I do mainly ssh connections

When a connection comes from Cable, there is no problem.
When a connection comes from DSL, OpenBSD tries to send the answer back to
192.168.0.1, and the connection fails.

I can't add a static route, because the same internet host should be able to
access the BSD box by Cable or DSL.

I can add another network card if needed, but would want to avoid any pf
stuff if possible.
I don't need any loadbalancing.
All the daemon I use can be bound to a specific IP

I had it working under NT, by setting a different gateway for two different
NIC, so I hopped to make it work under OpenBSD, but route add don't seem to
handle the interface the way I thougth ( the -ifa & -ifp are not docummented
at all )

Thanks in advance for any advice

> Thanks in advance for any advice
>
>
You can do it with pf

Pixel K wrote:

> Hello,
>
> Here is my setup :
> A Cable Line on a SOHO Router on 192.168.0.1
> A DSL Line on another SOHO Router on 192.168.0.128
> some Clients in the 192.168.0.0/24 network
> a OpenBSD Server at 192.168.0.4 with his default gateway at 192.168.0.1
>
> I do mainly ssh connections
>
> When a connection comes from Cable, there is no problem.
> When a connection comes from DSL, OpenBSD tries to send the answer back to
> 192.168.0.1, and the connection fails.
>
> I can't add a static route, because the same internet host should be able to
> access the BSD box by Cable or DSL.
>
You already have a static route (the default one).
I suspect what you need to do is add a route for the x.y.z.128 network
into its ISP subnet(!/sbin/route add x.y.z.128 dsl_if:addr). At the
moment DEFAULT is grabbing all outbounds.

I'm not too sure that will work. Someone suggested PF should do it,
assuming there's a handle for PF to work with. The handle is even better
if PF is doing NAT. It's a matter of preference. Some sites allow pppoe
from all over the place, whereas others restrict it to a natting host.

Without NAT it seems you'd have to do a pf.rdr in an inside-out context.

I'd be curious how your multihomed host fares. My bsd3.3 with 5
interfaces occasionally goes on strike, and /bsd: posts arp warnings all
day long. In my case some interfaces share a bridge, so you wont have
the same problem.

MK

[...]
> You already have a static route (the default one).
> I suspect what you need to do is add a route for the x.y.z.128 network
> into its ISP subnet(!/sbin/route add x.y.z.128 dsl_if:addr). At the
> moment DEFAULT is grabbing all outbounds.

doesn't seem to work

> I'm not too sure that will work. Someone suggested PF should do it,
> assuming there's a handle for PF to work with. The handle is even better
> if PF is doing NAT. It's a matter of preference. Some sites allow pppoe
> from all over the place, whereas others restrict it to a natting host.

I'll try pf this afternoon, as it seems a simple route add does not work the
way I want it.

>
> Without NAT it seems you'd have to do a pf.rdr in an inside-out context.
>
> I'd be curious how your multihomed host fares. My bsd3.3 with 5
> interfaces occasionally goes on strike, and /bsd: posts arp warnings all
> day long. In my case some interfaces share a bridge, so you wont have
> the same problem.
>
> MK
>

I too receives warning of all sort in the console port, while it doens't
look too good,
I still can access the two interfaces independently.

Thanks for your answers

Pixel K wrote:
> Hello,
>
> Here is my setup :
> A Cable Line on a SOHO Router on 192.168.0.1
> A DSL Line on another SOHO Router on 192.168.0.128
> some Clients in the 192.168.0.0/24 network
> a OpenBSD Server at 192.168.0.4 with his default gateway at 192.168.0.1
>
> I do mainly ssh connections
>
> When a connection comes from Cable, there is no problem.
> When a connection comes from DSL, OpenBSD tries to send the answer back to
> 192.168.0.1, and the connection fails.
>
> I can't add a static route, because the same internet host should be able to
> access the BSD box by Cable or DSL.
>
> I can add another network card if needed, but would want to avoid any pf
> stuff if possible.
> I don't need any loadbalancing.
> All the daemon I use can be bound to a specific IP
>
> I had it working under NT, by setting a different gateway for two different
> NIC, so I hopped to make it work under OpenBSD, but route add don't seem to
> handle the interface the way I thougth ( the -ifa & -ifp are not docummented
> at all )
>
> Thanks in advance for any advice
>
>

Have you considered the "tagging" feature of pf. Tag incoming packets
from the DSL soho and rdr tagged packets back to the ip of the dsl soho.
Look for it here:
http://www.openbsd.org/faq/pf/tagging.html

Hope this helps

Niels

[...]
>
> Have you considered the "tagging" feature of pf. Tag incoming packets
> from the DSL soho and rdr tagged packets back to the ip of the dsl soho.
> Look for it here:
> http://www.openbsd.org/faq/pf/tagging.html
>
> Hope this helps
>
> Niels

The tag is only set on the packet, not on the session, If I tag a incoming
request
the server response won't be tagged, and won't be recognised by pf.

So far I receive my packets well, but they don't seem to come back.
I'll try to be more explicit

- Bob tries to connect to my DSL connection
- The soho router behind the DSL modem redirect Bob's packet to my OpenBSD
server
- OpenBSD receives Bob's Packet ( I can see it with a tcpdump ) and tries to
answer
- I _think_ that OpenBSD tries to answer using its default route which is
the CABLE connection
- I _think_ that Bob waits forever for a response from the DSL connection
and discards the answers gotten from the CABLE connection.

I know there's a bit too much assumptions here, if you could help/clarify
it for me, you're welcome.
I'm unsuccessfull with PF so far.

my current setting (changed a bit since the last time ):

Cable router at 192.168.0.1
DSL router at 192.168.0.128
OpenBSD at 192.168.0.5 with default route 192.168.0.128
and an IP alias of 192.168.0.6

DSL router redirects its traffic to 192.168.0.5
Cable router redirects its traffic to 192.168.0.6

pass out log on $my_only_if route-to ($my_only_if 192.168.0.1) from
192.168.0.6 to !192.168.0.0/24

Pixel K wrote:

> [...]
>
>>Have you considered the "tagging" feature of pf. Tag incoming packets
>>from the DSL soho and rdr tagged packets back to the ip of the dsl soho.
>>Look for it here:
>>http://www.openbsd.org/faq/pf/tagging.html
>>
>>Hope this helps
>>
>>Niels
>
>
> The tag is only set on the packet, not on the session, If I tag a incoming
> request
> the server response won't be tagged, and won't be recognised by pf.
>
> So far I receive my packets well, but they don't seem to come back.
> I'll try to be more explicit
>
> - Bob tries to connect to my DSL connection
> - The soho router behind the DSL modem redirect Bob's packet to my OpenBSD
> server
> - OpenBSD receives Bob's Packet ( I can see it with a tcpdump ) and tries to
> answer
> - I _think_ that OpenBSD tries to answer using its default route which is
> the CABLE connection
> - I _think_ that Bob waits forever for a response from the DSL connection
> and discards the answers gotten from the CABLE connection.
>
> I know there's a bit too much assumptions here, if you could help/clarify
> it for me, you're welcome.
> I'm unsuccessfull with PF so far.
>
> my current setting (changed a bit since the last time ):
>
> Cable router at 192.168.0.1
> DSL router at 192.168.0.128
> OpenBSD at 192.168.0.5 with default route 192.168.0.128
> and an IP alias of 192.168.0.6
>
> DSL router redirects its traffic to 192.168.0.5
> Cable router redirects its traffic to 192.168.0.6
>
> pass out log on $my_only_if route-to ($my_only_if 192.168.0.1) from
> 192.168.0.6 to !192.168.0.0/24
>
>
>
>
>
>

If I understand correctly you setup is as follows:

(192.168.0.1) (192.168.0.5) (192.168.0.0/24)
internet >>> Cable router >>> OpenBSD server >>> internal network
^
(192.168.0.128)
DSL router
^
^
internet >>>>>>>>>>>>>>>>>>>>>>>>>>>>>

What you want is SSH from the internet into the OpenBSD server from both
the DSL connection as from the Cable connection?

I think you will make things a lot easier by using two nic's on you
OpenBSD machine.
By using two nic's for separation of the traffic from the cable router
and traffic from the DSL router you could use the 'route to' directive
to couple traffic from one interface to one gateway and the traffic on
the other to the second gateway.

Setup:
(192.168.0.1) (192.168.0.5) (192.168.0.0/24)
internet >>> Cable router >>> OpenBSD server >>> internal network
(192.168.0.6)
^
(192.168.0.128)
DSL router
^
^
internet >>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Now what you put in your pf.conf is:

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 \
to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 \
to any

Finally, NAT can also be used on each outgoing interface:

nat on $ext_if1 from $lan_net to any -> ($ext_if1)
nat on $ext_if2 from $lan_net to any -> ($ext_if2)

For more on this see http://openbsd.org/faq/pf/pools.html#outgoing

It might be possible to use one and the same nic by using two ip-aliases
and referencing in you pf.conf not by interface ($ext_if1 and
$ext_if2)but by ip-address. Just experiment and see if that works.

Hope this was more to help,

Niels