Vlan Tagging + PF

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Vlan Tagging + PF

Deimos-2
Bonjour à tous,

Je vous écris car je n'ai plus aucunes idées de comment faire pour faire
fonctionner mon routeur openbsd avec du VLAN. J'ai une machine (Debian)
connecté dessus, ai configuré le vlan tagging.

Sur mon routeur, je pense pourtant avoir tout fait, ai suivit un paquet
de tuto, mais impossible de traverser le routeur ou même le pinger.
Pourtant, avec un tcpdump, je vois bien de l'activité arriver.

Je me demande donc si ce n'est pas ma conf PF qui poserait problème.
Voici rapidement ma conf :
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Physical Interfaces
wan_if="sis0"
lan_if="vr0"
dmz_if="vlan110"
wifi_if="vr1"
# TUN Interfaces
openvpn_if="tun0"
sshvpn_if="tun1"

# Networks
wan_net="192.168.10.0/24"
lan_net="192.168.0.0/24"
dmz_net="192.168.110.0/24"
wifi_net="192.168.200.0/24"
openvpn_net="192.168.20.0/24"
openvpn_net_nat="10.0.0.0/24"
sshvpn_net="192.168.30.0/24"

# Router IP interfaces
wan_sks_ip="192.168.10.254"
dmz_sks_ip="192.168.100.254"

# Others IP
dedibox_ip="x.x.x.x"
work_ip="x.x.x.x"
freebox_tv_ip="212.27.38.253"

# IP Services
dmz_mail_ip="192.168.100.3"
dmz_web_ip="192.168.100.2"
dmz_dns_ip="192.168.100.3"
dmz_sftp_ip="192.168.100.6"

# Port descriptions
imaps_ports="143, 993"
smtps_ports="25, 465"
ssh_ports="22, 222"
dns_port="53"
webs_ports="80, 443"
openvpn_port="1194"
proxy_port="3128"
mysql_port="3306"
puppet_port="8140"
git_port="9418"
free_multiposte="31336, 31337"

# Whitelist / Blacklist table
table <blacklist> persist
table <whitelist> persist file "/etc/ssh/whitelist"

# Do not touch lo interface
set skip on lo0

# Packet normalization
match in all scrub (no-df)

# Nat for all internal interfaces
match out on $wan_if from !($wan_if) nat-to ($wan_if)

# Block in all with no usurpation
block in log all
block in log quick from urpf-failed

# Redirections for incoming connections (wan)
#pass in on $wan_if proto tcp from any to $wan_if port 25 rdr-to
$dmz_mail_ip port 25
#pass in on $wan_if proto udp from any to $wan_if port $dns_port rdr-to
$dmz_dns_ip port $dns_port
#pass in on $wan_if proto tcp from any to $wan_if port $dns_port rdr-to
$dmz_dns_ip port $dns_port
#pass in on $wan_if proto tcp from any to $wan_if port 80 rdr-to
$dmz_web_ip port 80
#pass in on $wan_if proto tcp from any to $wan_if port 143 rdr-to
$dmz_mail_ip port 143
#pass in on $wan_if proto tcp from any to $wan_if port 222 rdr-to
$dmz_sftp_ip port 22
#pass in on $wan_if proto tcp from any to $wan_if port 443 rdr-to
127.0.0.1 port 443
#pass in on $wan_if proto tcp from any to $wan_if port 465 rdr-to
$dmz_mail_ip port 465
#pass in on $wan_if proto tcp from any to $wan_if port 993 rdr-to
$dmz_mail_ip port 993
#pass in on $wan_if proto tcp from any to $wan_if port 9418 rdr-to
$dmz_web_ip port 9418
pass in on $wan_if proto tcp from $dedibox_ip to $wan_if port
$mysql_port rdr-to $dmz_web_ip port $mysql_port
pass in on $wan_if proto udp from $freebox_tv_ip to $wan_if rdr-to
192.168.0.100
pass in on $wan_if proto tcp from $freebox_tv_ip to $wan_if rdr-to
192.168.0.100

# Allow all outgoing from $lan_net, $wifi_net and $openvpn_net
pass in quick on { $lan_if, $wifi_if, $openvpn_if, $sshvpn_if } from {
$lan_net, $wifi_net, $openvpn_net, $sshvpn_net } to any
pass out quick on { $lan_if, $wifi_if, $openvpn_if, $sshvpn_if } from {
$lan_net, $wifi_net, $openvpn_net, $sshvpn_net } to any
pass out quick on $wan_if from $wan_net to any

# Security antispoof for servers in remote access
antispoof quick for { $wan_if, $dmz_if }

# Block all incoming on lan_if, wifi_if, openvpn_if and sshvpn_if
block out quick on { $lan_if, $wifi_if, $openvpn_if, $sshvpn_if } from {
!$lan_if, !$wifi_if, !($openvpn_if), !($sshvpn_if) } to any

# Allow specific ports from dmz
pass in quick on $dmz_if proto tcp from $dmz_dns_ip to $dmz_sks_ip port
$dns_port
pass in quick on $dmz_if proto udp from $dmz_dns_ip to $dmz_sks_ip port
$dns_port

# Allow puppet port on lan
#pass in quick on $dmz_if proto tcp from $dmz_net to $vlan110_if port
$puppet_port

# Disable connections from DMZ to router
block in log quick on $dmz_if from $dmz_net to { $lan_net, $wifi_net,
$openvpn_net, $sshvpn_net, $dmz_sks_ip }
pass in quick on $dmz_if from $dmz_net to { !$lan_if, !$wifi_if,
!($openvpn_if), !($sshvpn_if) }

# Allow all incoming ICMP
pass in quick on $wan_if proto icmp to any

# Autoblacklist on SSH
pass in on $wan_if proto tcp from !<whitelist> to ($wan_if) port {
$ssh_ports } \
        flags S/SA keep state \
        (max-src-conn-rate 3/60, \
        overload <blacklist> flush global)
pass in on $wan_if proto tcp from <whitelist> to $wan_if port {
$ssh_ports } flags S/SA keep state

# Block the ssh bruteforce
block drop in on $wan_if from <blacklist>
pass in quick on $wan_if proto tcp from <whitelist> port { $ssh_ports }

# Allow OpenVPN from Work
pass in on $wan_if proto tcp to $wan_if port $openvpn_port

# Allow on wan interface from wan for tcp
pass out on $wan_if proto tcp to ($wan_if) port { $ssh_ports,
$smtps_ports, $imaps_ports, $dns_port, $webs_ports, $git_port, $mysql_port }
# Allow on dmz interface from wan for udp
pass out on $wan_if proto udp to ($dmz_if) port { $dns_port }

# Allow all outbound traffic
pass out inet from !($wan_if) to any flags S/SA keep state

-----------------

Et au niveau de la conf de mon vlan /etc/hostname.vlan110 :
inet 192.168.110.254 255.255.255.0 NONE vlan 110 vlandev sis1


Si quelqu'un a une piste je suis preneur. Tout ce qui n'est pas vlan
fonctionne (au passage).

Merci


________________________________
French OpenBSD mailing list
[hidden email]
http://www.openbsd-france.org/communaute.php