[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-pf
Subject: PF and redirects to different FIB's
From: Steven Burrell <winglessza () gmail ! com>
Date: 2022-02-23 12:06:30
Message-ID: CAHGOOWbvudELristBDAfaBYthHgrGJ5DnhywMiJQjoULyaS+9Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi There,
I've been sitting on a problem for a while now and have tried various
options to now avail. As an Example, I have 3 FIB's, with overlapping ip's.
FIB 0
FIB 1
FIB 2
I'm trying to redirect received TACACS traffic ( tcp 49 ) from FIB 1 and 2
through to another Server located within FIB 0, and have return traffic
still return to the correct FIB and destination.
Ie.
Server 1:
Interface : 1
- Belongs to FIB 0
- 10.0.0.1
Interface : 2
- Belongs to FIB 1
- 192.168.0.1
Interface : 3
- Belongs to FIB 2
- 192.168.0.1
Server 2:
Interface : 1
- On same network as Server 1.
- 10.0.0.2
- Gateway is set to 10.0.0.1
- Runs a TACACS Server
Now I need PF to redirect in the inbound traffic on interface 2 and 3 for
port 49 tcp through to server 2 in FIB 0.
I've been able to get the traffic to get to Server 2, and the reply gets to
Server 1 in FIB 0, but there is no transition back to the original FIB.
I used this : rdr pass inet proto tcp from any to any port 49 rtable 0 ->
10.200.0.13 port 49
In OpenBSD I was able to achieve all of this effortlessly with:
*pass in quick on any proto tcp to any port {49} rdr-to 10.200.0.12 rtable
0*
Any suggestions or advise would be welcome.
[image: image.png]
Thanks.
[Attachment #5 (text/html)]
<div dir="ltr"><p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Hi There,</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">I've been sitting on a problem for a while now and have tried various \
options to now avail. As an Example, I have 3 FIB's, with overlapping \
ip's.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">FIB 0</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">FIB 1</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">FIB 2</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">I'm trying to redirect received TACACS traffic ( tcp 49 ) from FIB 1 and \
2 through to another Server located within FIB 0, and have return traffic still \
return to the correct FIB and destination.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Ie.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Server 1:</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Interface : 1</span></p>
<ul style="margin-top:0cm;margin-bottom:0cm" type="disc">
<li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Belongs to FIB 0</span></li> <li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">10.0.0.1</span></li> </ul>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Interface : 2</span></p>
<ul style="margin-top:0cm;margin-bottom:0cm" type="disc">
<li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Belongs to FIB 1</span></li> <li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">192.168.0.1</span></li> </ul>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Interface : 3</span></p>
<ul style="margin-top:0cm;margin-bottom:0cm" type="disc">
<li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Belongs to FIB 2</span></li> <li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">192.168.0.1</span></li> </ul>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Server 2:</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Interface : 1</span></p>
<ul style="margin-top:0cm;margin-bottom:0cm" type="disc">
<li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">On same network as Server 1.</span></li> <li \
class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">10.0.0.2</span></li> <li class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Gateway is set to 10.0.0.1</span></li> <li \
class="gmail-MsoListParagraph" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Runs a TACACS Server</span></li> </ul>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Now I need PF to redirect in the inbound traffic on interface 2 and 3 \
for port 49 tcp through to server 2 in FIB 0.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">I've been able to get the traffic to get to Server 2, and the reply gets \
to Server 1 in FIB 0, but there is no transition back to the original FIB.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US">I \
used this : </span><span style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">rdr \
pass inet proto tcp from any to any port 49 rtable 0 -> 10.200.0.13 port \
49</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">In \
OpenBSD I was able to achieve all of this effortlessly with:</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><i><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">pass \
in quick on any proto tcp to any port {49} rdr-to 10.200.0.12 rtable 0</span></i></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><i><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"> \
</span></i></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Any \
suggestions or advise would be welcome.</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"> \
</span></p><img src="cid:ii_kzzif9uf0" alt="image.png" width="562" height="537"><p \
class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><br></span></p><p \
class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><br></span></p><p \
class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><br></span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
style="font-size:12pt;font-family:"Segoe \
UI",sans-serif;color:rgb(20,20,20);background-image:initial;background-position:i \
nitial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">Thanks.</span><span \
lang="EN-US"></span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p>
<p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US"> \
</span></p></div>
--0000000000005c5a6b05d8ae4c63--
["image.png" (image/png)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic