Skip to content

Commit ffc2a9f

Browse files
cqcallawcqcallaw
committed
blog: multihomed webserver routing
1 parent f363f74 commit ffc2a9f

1 file changed

Lines changed: 32 additions & 0 deletions

File tree

content/blog/multihomed-webserver-routing.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
---
2+
title: "Multihomed Webserver Routing in pf"
3+
date: 2020-11-09T19:30:41-08:00
4+
draft: false
5+
tags: ['openbsd', 'pf', 'routing', 'ipv6']
6+
---
7+
8+
Running a publicly accessible IPv6 webserver while blessed with a dynamic IPv6 prefix can be achieved with a static [tunnelbroker.net](tunnelbroker.net) prefix and [multihoming](https://en.wikipedia.org/wiki/Multihoming#Multihoming_with_multiple_addresses), but simply configuring multiple IPv6 addresses isn't enough. Additional router configuration is required.
9+
10+
The ISP-delegated prefix should be the default route for performance reasons. Simple `pass` rules will allow inbound requests to route through the tunnel and onward to the internal server; outbound packets aren't so easy. The server's response will originate from a static address associated with the tunnel, but will usually take the default route back to the external client and subsequently get dropped by an external router that doesn't service packets from the tunneled prefix. We need to route outbound packets from the server through the tunnel; in short, we need [source-based routing](https://en.wikipedia.org/wiki/Source_routing).
11+
12+
[pf](https://www.openbsd.org/faq/pf/) provides a convenient source-based routing solution with its `route-to` clause, but one must also disable state tracking for all inbound and outbound packets so the state tracker doesn't bypass our `route-to` rule. The state tracker is enabled by default, so we must disable state tracking _for every interface on the route_.
13+
14+
```bash
15+
server = <webserver ipv6 addr>
16+
...
17+
pass in quick on $he_if proto tcp to $server port https no state
18+
pass out quick on $lan proto tcp to $server port https no state
19+
pass in quick on $lan proto tcp from $server port https route-to $he_if no state
20+
pass out quick on $he_if proto tcp from $server port https no state
21+
...
22+
```
23+
24+
The use of `quick` may not be necessary if the rule set is cleverly crafted; I chose to emphasize legibility over cleverness. While it's possible to remove the port and protocol specifiers for these rules, I've found the interactions with other rules difficult to manage. Your mileage may vary.
25+
26+
# Notes on Debugging
27+
28+
Having a remote host from which to issue queries to my webserver was vital; I used a [Digital Ocean](https://www.digitalocean.com/) droplet. I got a lot of mileage out of [pf logging](https://www.openbsd.org/faq/pf/logging.html) and various `tcpdump` filters; I also found this shell snippet handy for isolating rules that had introduced spurious state tracker entries:
29+
30+
```bash
31+
for i in `jot 30`; do echo "Rule $i" && doas pfctl -s states -R $i | grep <server ip>; done
32+
```

0 commit comments

Comments
 (0)