[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

transparent bridge, routing problem, pf redirection?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: transparent bridge, routing problem, pf redirection?
From: "Sancho2k.net Lists" <lists_(_at_)_sancho2k_(_dot_)_net>
Date: Thu, 10 Apr 2003 23:07:33 -0600

    INTERNET
        |
        |
  ROUTER (10.0.0.1)
              \
               \    +---+
               `---*| pf|  fxp1 (10.0.0.7)
               fxp2 |box|*---,
                    +---+     \
                   /          |
             fxp0_/        +-------+ switch
         (unused)         ,+-------+
                         /         |
                        /          |
                     +---+       +---+
            Client   |   |       |   | Proxy
            10.0.0.3 |   |       |   | 10.0.0.21
                     +---+       +---+

I'm trying to transparent proxying using squid-latest (compiled with --enable-pf-transparent) and am having some troubles...

My pf box is a transparent bridge that has an IP address also assigned to the inside interface (fxp1) for management. Traffic passes through it on the bridge interface, so the inside interface of the router and all the hosts attached to the switch are on the 10.0.0.0/24 network. I have configured a default route on the bridge as 10.0.0.1. Here is my routing table:

Internet:
Destination      Gateway            Flags
default          10.0.0.1           UG
10.0.0.0         link#2             U
10.0.0.1         link#2             UH
10.0.0.2         0:4:5a:49:fc:c6    UH
10.0.0.3         0:4f:4e:4:a1:6e    UH
10.0.0.7         127.0.0.1          UGH
127.0.0.0        127.0.0.1          UG
127.0.0.1        127.0.0.1          UH
224.0.0.0        127.0.0.1          U

I'm trying to get web requests from my client (10.0.0.3) to be redirected through squid on 10.0.0.21 for proxying. Here are some parts of my pf.conf:

### Interfaces ###
int_if="fxp1"
ext_if="fxp2"
### Hosts ###
router="10.0.0.1"
molodetz="10.0.0.2"
win2kpro="10.0.0.3"
phantasm="10.0.0.7"
homenet="10.0.0.0/24"

rdr on $int_if proto tcp from $homenet to ! $phantasm port 80 \
       -> 10.0.0.21 port 8080

pass out quick on $ext_if inet proto tcp from $homenet to any \
        modulate state
pass out quick on $ext_if inet proto udp from $homenet to any \
        keep state
pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 \
        keep state

running a tcpdump on the pf box shows the redirect occuring:

======================================================================== Apr 10 07:17:33.080969 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4094 > 207.88.19.245.80: S 1951481075:1951481075(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:17:33.082049 0:5:5e:9f:fc:93 0:4f:4e:4:a1:6e 0800 70: 207.88.19.245 > 10.0.0.3: icmp: redirect 207.88.19.245 to host 10.0.0.21 Apr 10 07:17:35.992714 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4094 > 207.88.19.245.80: S 1951481075:1951481075(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:17:35.993684 0:5:5e:9f:fc:93 0:4f:4e:4:a1:6e 0800 70: 207.88.19.245 > 10.0.0.3: icmp: redirect 207.88.19.245 to host 10.0.0.21 Apr 10 07:17:42.000282 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4094 > 207.88.19.245.80: S 1951481075:1951481075(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:17:42.001308 0:5:5e:9f:fc:93 0:4f:4e:4:a1:6e 0800 70: 207.88.19.245 > 10.0.0.3: icmp: redirect 207.88.19.245 to host 10.0.0.21 ========================================================================

The problem is, as seen below, is the clients are being redirected out through the outside interface - is this because the route to 10.0.0.0/24 is pointing out that interface?

======================================================================== # tcpdump -nettt -i fxp2 port 8080 tcpdump: WARNING: fxp2: no IPv4 address assigned tcpdump: listening on fxp2 Apr 10 07:22:58.451045 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:22:58.452127 0:5:5e:9f:fc:93 0:3:47:12:fb:87 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:23:01.403403 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:23:01.404425 0:5:5e:9f:fc:93 0:3:47:12:fb:87 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:23:07.410999 0:4f:4e:4:a1:6e 0:5:5e:9f:fc:93 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) Apr 10 07:23:07.412031 0:5:5e:9f:fc:93 0:3:47:12:fb:87 0800 62: 10.0.0.3.4096 > 10.0.0.21.8080: S 4138238338:4138238338(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) ========================================================================

I suspect I need to add in a route to 10.0.0.21 to send through link#1 - I've tried a couple of ways but the same thing occurs. What is the best way for me to handle this?

TIA

DS

Prev by Date: Re: surviving the slashdot effect
Next by Date: apache 2.0.45, mod_perl 2.0 (1.99-X), anyone?
Previous by thread: chroot pseudo jail
Next by thread: apache 2.0.45, mod_perl 2.0 (1.99-X), anyone?
Index(es):
- Date
- Thread

Visit your host, monkey.org