{"id":214,"date":"2011-01-09T19:57:49","date_gmt":"2011-01-09T17:57:49","guid":{"rendered":"http:\/\/www.rinta-aho.org\/blog\/?p=214"},"modified":"2015-11-03T12:13:36","modified_gmt":"2015-11-03T10:13:36","slug":"openbsd-and-duplicate-next-hop-routers","status":"publish","type":"post","link":"http:\/\/www.rinta-aho.org\/blog\/openbsd-and-duplicate-next-hop-routers\/","title":{"rendered":"OpenBSD and duplicate next hop routers"},"content":{"rendered":"

As I describe in an earlier blog post<\/a>, I am running an OpenBSD packet filter firewall which has three network interfaces connected to the same ISP. Everything worked so well until the ISP changed something in their configuration and two of the interfaces started to get the same next hop router (gateway) through DHCP configuration. This obviously causes problems with e.g. ARP and routing in general. The solution to this was to start using the “routing domain” feature of OpenBSD.<\/p>\n

All interfaces are in routing domain “0” by default. I then set the two “extra” outgoing interfaces to routing domains “1” and “2”. That way each outgoing network interface has its own routing table and ARP table, and routing\/ARP problems with the “duplicate next hop” were fixed. However, by definition, routing doesn’t work between routing domains. Luckily I found a way around this by tweaking pf.conf. The solution was to<\/p>\n

a) split the “binat” rules and use “rtable” keyword for the rule used for incoming packets, and
\nb) add the “rtable” keyword for outgoing packets.<\/p>\n

That way the route lookup is done on the correct routing tables for both incoming and outgoing packets.<\/p>\n

Here are the modified sections in \/etc\/pf.conf:
\n
\n# binat on em2 for host \"ps3\"
\nmatch out on $if_ext3 inet from $ps3 to any nat-to $if_ext3 static-port
\nmatch in on $if_ext3 inet from any to $if_ext3 rdr-to $ps3 rtable 0<\/strong><\/p>\n

# binat on em1 for host \"core7\"
\nmatch out on $if_ext2 inet from $core7 to any nat-to $if_ext2 static-port
\nmatch in on $if_ext2 inet from any to $if_ext2 rdr-to $core7 rtable 0<\/strong><\/p>\n

# NAT on em0 for the rest of the hosts
\nmatch out on $if_ext1 from $home_net_v4 nat-to ($if_ext1)<\/p>\n

...<\/p>\n

pass out quick on $if_ext1 inet from ($if_ext1) modulate state
\npass out quick on $if_ext2 inet from ($if_ext2) modulate state rtable 1<\/strong>
\npass out quick on $if_ext3 inet from ($if_ext3) modulate state rtable 2<\/strong>
\n<\/code><\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"

As I describe in an earlier blog post, I am running an OpenBSD packet filter firewall which has three network interfaces connected to the same ISP. Everything worked so well until the ISP changed something in their configuration and two of the interfaces started to get the same next hop router (gateway) through DHCP configuration. … <\/p>\n

Continue reading “OpenBSD and duplicate next hop routers”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-214","post","type-post","status-publish","format-standard","hentry","category-openbsd"],"_links":{"self":[{"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/comments?post=214"}],"version-history":[{"count":5,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/posts\/214\/revisions"}],"predecessor-version":[{"id":429,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/posts\/214\/revisions\/429"}],"wp:attachment":[{"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/media?parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/categories?post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.rinta-aho.org\/blog\/wp-json\/wp\/v2\/tags?post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}