Discussion:
Special route and NPF
(too old to reply)
BERTRAND Joël
2017-05-15 09:58:53 UTC
Permalink
Hello,

I'm using NPF to filter packets and I'm unable to find a solution to a
simple problem.

Here is my network :

eth1(wan1)--+--Linux router-----+---eth0(lan1)
eth2(wan2)--+ +---tap0(lan2)
+---tap1(lan3)



wm0(wan3) --+--NetBSD router----agr0(lan4)
tap0(lan3)--+


On eth1, I have some inet4 addresses (/27). I want to route packets
from a specific address from eth1 to a server (192.168.10.103) on lan4.
Both routers are connected by lan3 (ethernet VPN).

I have added some iptables rules in Linux router and all incoming
packets are routed to 192.168.10.103. 192.168.10.103 answers but as
Netbsd router's default route is over wm0, all packets send by
192.168.10.103 are sent over wm0 and not over tap0.

How can I add a rule in /etc/npf.conf to route packets that come from
my linux router to be sent to this router ?

Best regards,

JB


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
BERTRAND Joël
2017-05-15 11:23:07 UTC
Permalink
Post by BERTRAND Joël
Hello,
I'm using NPF to filter packets and I'm unable to find a solution to
a simple problem.
eth1(wan1)--+--Linux router-----+---eth0(lan1)
eth2(wan2)--+ +---tap0(lan2)
+---tap1(lan3)
wm0(wan3) --+--NetBSD router----agr0(lan4)
tap0(lan3)--+
On eth1, I have some inet4 addresses (/27). I want to route packets
from a specific address from eth1 to a server (192.168.10.103) on lan4.
Both routers are connected by lan3 (ethernet VPN).
I have added some iptables rules in Linux router and all incoming
packets are routed to 192.168.10.103. 192.168.10.103 answers but as
Netbsd router's default route is over wm0, all packets send by
192.168.10.103 are sent over wm0 and not over tap0.
How can I add a rule in /etc/npf.conf to route packets that come
from my linux router to be sent to this router ?
Best regards,
JB
I have checked my old IPF configuration. With IPF, it was possible to
write :

pass in quick on agr0 to tap0:192.168.1.1 proto tcp \
from 192.168.10.103 port=443 to any

I would add a similar rule in NPF... Of course if it is possible.

Best regards,

JB

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Swindells
2017-05-15 14:45:01 UTC
Permalink
Post by BERTRAND Joël
I'm using NPF to filter packets and I'm unable to find a solution to a
simple problem.
eth1(wan1)--+--Linux router-----+---eth0(lan1)
eth2(wan2)--+ +---tap0(lan2)
+---tap1(lan3)
wm0(wan3) --+--NetBSD router----agr0(lan4)
tap0(lan3)--+
I think you are going to have to give some more information about how
you have connected things up and what routes you have added other than
default ones.

For example, is your tap0(lan3) connected to a bridge ?

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
BERTRAND Joël
2017-05-15 15:01:41 UTC
Permalink
Post by Robert Swindells
Post by BERTRAND Joël
I'm using NPF to filter packets and I'm unable to find a solution to a
simple problem.
eth1(wan1)--+--Linux router-----+---eth0(lan1)
eth2(wan2)--+ +---tap0(lan2)
+---tap1(lan3)
wm0(wan3) --+--NetBSD router----agr0(lan4)
tap0(lan3)--+
I think you are going to have to give some more information about how
you have connected things up and what routes you have added other than
default ones.
I only have a default route and some static routes to my differents lan's :

Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.15.20 UG - - - wm0
79.170.216.0/28 192.168.1.1 UG - - - tap0
91.196.180.225 192.168.1.1 UGH - - - tap0
127/8 localhost UGR - - 33648 lo0
localhost localhost UH - - 33648 lo0
192.168.0/24 192.168.1.1 UG - - - tap0
192.168.1/24 link#7 U - - - tap0
192.168.1.1 ce:10:2d:04:8d:8a UHL - - - tap0
192.168.10/24 link#5 U - - - agr0
192.168.10.101 link#5 UHL - - - agr0
192.168.10.102 d8:cb:8a:7d:10:59 UHL - - - agr0
192.168.10.103 38:2c:4a:70:14:83 UHL - - - agr0
192.168.10.128 68:05:ca:02:b2:59 UHL - - - lo0
192.168.10.250 88:75:56:07:d4:08 UHL - - - agr0
192.168.15/24 link#1 U - - - wm0
192.168.15.20 dc:9f:db:51:66:c7 UHL - - - wm0
192.168.253/24 192.168.1.1 UG - - - tap0
192.168.254/24 192.168.1.1 UG - - - tap0

79.170.216.0/28 and 91.196.180.225 are addresses used by my SIP provider.
Post by Robert Swindells
For example, is your tap0(lan3) connected to a bridge ?
No, lan3 is an OpenVPN over tap interface. I have found a workaround
this evening (I have add a source NAT, thus server on lan4 returns IP
packet to Linux router).

Regards,

JB

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...