OpenBSD Routing With PF
Download File >>> https://shoxet.com/2taYDh
We could have asked our ISP to give us another IP address forour local network (10.10.10.0/24) and changed the routing on ourrouter. But as we have two servers (AFAIK) on the same subnet wecouldn't do that. And as said, we don't need to change therouter's routing. We only want to use two distinct IP addresses onour router from the same subnet. The following picture illustrates theconflict.
In the fine OpenBSD tradition this is infact not completely true. Thespecific LAN segment that is $int_ifactually has two separate subnetson it for historical reasons and machines on the other subnetcantalk to $INTIP through this rdr-to rule without problems. It'sonly machines on the same subnet that can't (and not because PFblocks the packets; I've checked).
So, we resolved our 5th problem. In the fine OpenBSD tradition thisis not completely true. As you may have noticed, we used onlymatch rules for SNAT/DNAT/rdomain hopping, this would work with apass everything rule, but a good practice is to authorize onlyneeded traffic, here is a more complete /etc/pf.conf file
We have 2 servers having exactly the same IP address (192.168.1.50) andwe wanted both of them to see our router with the same IP address(192.168.1.60), both have their default route on e.g.192.168.1.1 and for some reason we want not change therouting configuration. We want to be able to interrogate bothservers using 2 distinct IP addresses from client-side subnet(10.10.10.100 for accessing server1, 10.10.10.200 for accessingserver2), the router itself will be accessed with another IPaddress (10.10.10.10). In addition to that, the server mayinitiate a connection on client side and when doing so they shouldobtain their corresponding IP on client side (10.10.10.100 &10.10.10.200). The following picture illustrates thewhole setup.
I'm currently working on:
Openstack on Power8 on OpenBSD.
Openstack on Power8 on OpenBSD.
Openstack on Power8 on OpenBSD.
Openstack on Power8 on OpenBSD.
Openstack on Power8 on OpenBSD.
P.S.: I also tried to create a dedicated PF rdomain for that, but to no avail. I even tried to add an explicit route-to to a specific interface in the ruleset, but it wasn't accepted by the PF daemon. 827ec27edc