OpenBSD RDomains

OpenBSD
Page content

Intro

Let’s assume you have a Mikrotik Router which got a Mgmt Interface with IP: ‘192.168.88.1/24’ and DHCP Server enabled. You wann Access the Router via HTTP/HTTPS while offering Internet Services for the Mikrotik Router. You have an APU and OpenBSD running. What do you do ?

Setup

  • 2 NIC’s
  • em0: dhcp client, default route, rdomain 0
  • em3: dhcp client, rdomain 3

Interfaces

Interface em0

cat << 'EOF' > /etc/hostname.em0
# Public Internet
inet 	autoconf
inet6	autoconf
EOF

Interface em3

cat << 'EOF' > /etc/hostname.em3
# Mgmt Network for Mikrotik, RDomain 3
rdomain 3
inet  autoconf
inet6 autoconf
up
EOF

Bring Up Interfaces

sh /etc/netstart

Packet Filter

#---------------------------------#
# DEFAULT SETTINGS
#---------------------------------#

set block-policy drop
set limit states 100000
set optimization normal
set ruleset-optimization none
set skip on { lo0 enc0 tun0 }
set syncookies adaptive (start 25%, end 12%)

#---------------------------------#
# Redirects
# WARNING: Redirects always goes last in the ruleset!
#---------------------------------#

# Our web server is 192.168.88.1 - Let the "Internet" have access to it
pass in   log           inet proto tcp from any to 172.16.1.107 port { 80 443 } rdr-to 192.168.88.1 rtable 3

# Forward from RDomain 3
match in   log      on rdomain 3 from 192.168.88.0/24 to any rtable 0

# Another allow ?
match in   log      on egress proto tcp to port { 80 443 } rdr-to 192.168.88.1 rtable 3

# NAT to em3
match out  log      on em3 inet nat-to (em3)


# Default Block
block log

#---------------------------------#
# SSH Access
#---------------------------------#
pass in log quick from 192.168.0.0/16 to (self)
pass in log quick from 2001:db8::/64  to (self)

# Allow all In / Out
pass in   log quick 
pass out  log quick

Load PF Rules

pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf && echo "pf reloaded" || echo "something went wrong ..."

Show Interface Config

root@apu # ifconfig em0 && ifconfig em3
em0: flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> mtu 1500
	lladdr 00:0d:b9:xx:xx:xx
	description: connected to 6 peers
	index 1 priority 0 llprio 3
	groups: egress
	media: Ethernet autoselect (1000baseT full-duplex)
	status: active
	inet6 fe80::20d:xxxx:xxxx:xxx%em0 prefixlen 64 scopeid 0x1
	inet 172.16.xx.xx netmask 0xffffff00 broadcast 172.16.1.255
	inet6 2001:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf pltime 3320 vltime 2591720

em3: flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4> rdomain 3 mtu 1500
	lladdr 00:0d:b9:xx:xx:xx
	description: connected to MikroTik (ether1)
	index 4 priority 0 llprio 3
	media: Ethernet autoselect (1000baseT full-duplex,master)
	status: active
	inet6 fe80::20d:xxxx:xxxx:xxx%em3 prefixlen 64 scopeid 0x4
	inet 192.168.88.254 netmask 0xffffff00 broadcast 192.168.88.255

Show Routing Tables

# RDomain 0

root@apu # route -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            172.16.1.1         UGS        6    20874     -     8 em0
224/4              127.0.0.1          URS        0        0 32768     8 lo0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHhl       3    77744 32768     1 lo0
172.16.1/24        172.16.1.107       UCn        1      645     -     4 em0
172.16.1.1         00:09:xx:xx:xx:xx  UHLch      1      246     -     3 em0
172.16.1.255       172.16.1.107       UHb        0     2490     -     1 em0


# RDomain 3

root@apu # route -T 3 -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.88.1       UGS        0    16978     -     8 em3
192.168.88/24      192.168.88.254     UCn        1        0     -     4 em3
192.168.88.1       78:9a:xx:xx:xx:xx  UHLch      2     5053     -     3 em3
192.168.88.254     00:0d:xx:xx:xx:xx  UHLl       0        5     -     1 em3
192.168.88.255     192.168.88.254     UHb        0        0     -     1 em3

Show PF Log and Rule Set

# Show PF Log
tcpdump: listening on pflog0, link-type PFLOG
15:30:19.390281 rule 6/(match) match in on em0: xxx:xxx:xxx.xxx.63720 > 172.16.1.107.80: S 4237808944:4237808944(0) win 65535 <mss 1460,nop,wscale 6,nop,nop,timestamp 151812669 0,[|tcp]> (DF)
15:30:19.390303 rule 13/(match) pass in on em0: xxx.xxx.xxx.xxx.63720 > 172.16.1.107.80: S 4237808944:4237808944(0) win 65535 <mss 1460,nop,wscale 6,nop,nop,timestamp 151812669 0,[|tcp]> (DF)
15:30:19.390389 rule 8/(match) match out on em3: xxx.xxx.xxx.xxx.63720 > 192.168.88.1.80: S 4237808944:4237808944(0) win 65535 <mss 1460,nop,wscale 6,nop,nop,timestamp 151812669 0,[|tcp]> (DF)
15:30:19.390395 rule 14/(match) pass out on em3: xxx.xxx.xxx.xxx.63720 > 192.168.88.1.80: S 4237808944:4237808944(0) win 65535 <mss 1460,nop,wscale 6,nop,nop,timestamp 151812669 0,[|tcp]> (DF)

# Show Ruleset
@6 match in log on egress inet proto tcp from any to any port = 80 rtable 3 rdr-to 192.168.88.1
@8 match out log on em3 inet all nat-to (em3:1) round-robin
@13 pass in log quick all flags S/SA
@14 pass out log quick all flags S/SA
Any Comments ?

sha256: 0d6600e89ffa6edc297c96bc2e037a489c90d0e2fab55a30117e2551ca80fa26