Comments on: Virtualizing the OpenBSD Routing Table

By: Danie

Danie — Tue, 03 Apr 2012 13:04:13 +0000

Hi Joel,
thanks for the reply.

The push traffic to rdomain and local loopback for each rdomain did the trick.

I’m still getting used to the idea of rdomains and pf.

Thanks!

By: Joel Knight

Joel Knight — Mon, 02 Apr 2012 23:42:57 +0000

Hi Danie,

That’s a good scenario. I haven’t tested this, but here’s what I’ve got off the top of my head.

# push tcp/80 traffic into rdomain 10 and do dest addr translation
pass in on em0 proto tcp to 172.29.43.20 port 80 rtable 10 rdr-to 10.0.0.2

# get traffic from rdomain 10 destined to 172-net back into rdomain 0
pass in on vlan10 to 172.29.0.0/16 rtable 0

# setup reverse route in rdomain 10
ifconfig lo10 rdomain 10 127.0.0.1
route -T 10 add 172.29.0.0/16 127.0.0.1

# (no route needed in rdomain 0)

Let me know what you think. I’m interested to know if this works or not. Sounds like you might have all this already except for the first pf rule.

By: Danie

Danie — Thu, 29 Mar 2012 09:54:04 +0000

Do you perhaps have a example of overlapping subnets for rdomain 1 and 2?

in my case, I’ve setup vlan10 in rdomain 10 and vlan11 in rdomain 11 both have the same network 10.0.0.0/18 and same gateway ip of 10.0.0.1. I can ping both using the ping -V10/11 10.0.0.1 and also the hosts located on the 2 subnets. (vlan10/host = 10.0.0.4 and vlan11/host = 10.0.0.2)

in pf.conf – I’ve added the following,

pass in on vlan10 to 172.29.0.0/16 rtable 0
pass in on vlan11 to 172.29.0.0/16 rtable 0

This allows ping from both 10.0.0.2 and .4 hosts to my external interface em0 (172.29.43.239)

But now I would like to access the host 10.0.0.2 from a host 172.29.43.20 by accessing a natted IP of say 172.29.43.240->10.0.0.2 (rdomain 10).

By: Joel Knight

Joel Knight — Thu, 29 Mar 2012 03:01:13 +0000

Ah, I can see why that would be misleading. I meant more in the sense that the pf ruleset is a bit cleaner and that you can do the dual-ISP setup using dynamically assigned Internet IPs with rdomains whereas with route-to, you’re pretty well stuck needing static IPs (because you have to specify the gateway IPs in the ruleset).

By: jofcho

jofcho — Wed, 28 Mar 2012 10:30:27 +0000

Actually I try to make load balancing of outbound connections and use two ISPs.
Maybe this citation misleaded me:
“This provides a much more elegant solution than the outbound load balancing example I wrote about in the PF User’s Guide.”

By: Joel Knight

Joel Knight — Tue, 27 Mar 2012 20:24:13 +0000

I can’t think of a straightforward way of doing that.

Keep in mind that rdomains aren’t designed to do what you’re doing. They’re meant to provide isolation at Layer 3 (and below). You’re trying to do round robin routing to balance Internet use. Stick with the ‘route-to’ method.

By: jofcho

jofcho — Tue, 27 Mar 2012 08:18:41 +0000

Well, I make all settings, and I’m able to transmit and receive data between domains. But how to make something like:
“pass in on $int_if from $lan_net \
route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
round-robin”

with rtables?

pass in on vic1 to 0.0.0.0/0 rtable 0
pass out on vic0 nat-to vic0
pass in on vic1 to 0.0.0.0/0 rtable 1
pass out on vic2 nat-to vic2
How to combine theese two rules?

By: Joel Knight

Joel Knight — Mon, 26 Mar 2012 18:14:49 +0000

Hi jofcho,

All of the components you need to make a dual ISP setup work are talked about in the article. What does your config look like so far? What works and what doesn’t?

By: jofcho

jofcho — Mon, 26 Mar 2012 05:38:01 +0000

Hi, nice article, thanks.
I try to set-up a dual ISP connections with rdomains, but failed to make the correct pf lines.
In http://www.openbsd.org/faq/pf/pools.html#outgoing example is used route-to and round-robin to achieve load balansing. What about rtables? Some working example?

By: Antonio Feitosa (@antonio_cfc)

Antonio Feitosa (@antonio_cfc) — Wed, 08 Feb 2012 01:21:20 +0000

RT @knight_joel: @phessler You bet! Virtualizing the #OpenBSD Routing Table http://t.co/M00Db6ei