What we should build a network

I think everyone (and if not everyone, then many) of us (sysadmins) at least once, but the task was to merge several remote offices into a single corporate network, and everyone found / chose his own solution.
At the present time, there are many different solutions, for the implementation of which you can use both special hardware solutions and ordinary computers with any OS on board.
In this article, I want to talk about how to combine three remote offices into one corporate network, with different subnets for each unit. I propose to raise all this using only the OpenBSD distribution.

We will need:

• Three medium-sized PCs (CPU 1.7Ghz, RAM 512Mb, HDD 20Gb, 2x Lan100Mb)
• Static IP Addresses on WAN Ports
• Distrib OpenBSD
• 40 minutes of your valuable time (including OS installation)

First, let's define some “variables”:

• gw1 - “central” gate
• gw2 - “daughter” gate number 1
• gw3 - “daughter” gate number 2
• vic0 - external interface
• vic1 - internal interface

Add a little color to make it clearer what is related to:

• green font gw1-gw2
• blue font gw1-gw3

I will not describe the installation of the system, especially in version 4.8 (which was used to write this article), there is an automatic HDD partitioning script that will simplify the installation of the system even for a novice user.

After successful installation of the system, it is necessary to turn on the firewall, forwarding, and register for execution a file with the content of static routes:
# vi /etc/rc.conf ( PF)
pf=YES
# vi /etc/sysctl.conf ( )
net.inet.ip.forwarding=1
# vi /etc/rc.local ( static_routes )
/etc/static_routes

Now we’ll decide on the future “central” gate, we decided (I’ll have it GW1), let's go to its configuration, initially assuming that our gateway’s network interfaces are configured like this:
')

GW1

---

First of all, let's raise the lo1 dedicated network interface that uniquely identifies the router and is always up:
# vi /etc/hostname.lo1
!ifconfig lo1 create
!ifconfig lo1 192.168.254.1 netmask 255.255.255.255

Now the queue of gif interfaces:
# vi /etc/hostname.gif0
!ifconfig gif0 create
!ifconfig gif0 192.168.255.1 netmask 255.255.255.252 192.168.255.2
!ifconfig gif0 tunnel 11.11.11.1 22.22.22.2
!ifconfig gif0 up
# vi /etc/hostname.gif1
!ifconfig gif1 create
!ifconfig gif1 192.168.255.3 netmask 255.255.255.252 192.168.255.4
!ifconfig gif1 tunnel 11.11.11.1 33.33.33.3
!ifconfig gif1 up

We set the rights:
# chmod 640 /etc/hostname.*

Add routes:
# vi /etc/static_routes
/sbin/route add -host 192.168.254.2 192.168.255.2
/sbin/route add -net 192.168.15.0/24 192.168.255.2
/sbin/route add -host 192.168.254.3 192.168.255.4
/sbin/route add -net 192.168.16.0/24 192.168.255.4

And set the right permissions to run:
# chmod a+x /etc/static_routes

Now configure the firewall:
# vi /etc/pf.conf
ext_if="vic0"
int_if="vic1"
set skip on lo
set skip on gif0
set skip on gif1
match in all scrub (no-df)
match out all scrub (no-df)
match on $ext_if from 192.168.0.0/16 to !192.168.0.0/16 binat-to ($ext_if:0)
block in on $int_if
pass in quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state
pass out quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state

With the gw1 setup, finish, reboot, and go to the rest
# reboot

gw1 is ready, now go to gw2 and gw3

GW2

---

Everything is the same here, so comments will be superfluous.
# vi /etc/hostname.lo1
!ifconfig lo1 create
!ifconfig lo1 192.168.254.2 netmask 255.255.255.255

# vi /etc/hostname.gif0
!ifconfig gif0 create
!ifconfig gif0 192.168.255.2 netmask 255.255.255.252 192.168.255.1
!ifconfig gif0 tunnel 22.22.22.2 11.11.11.1
!ifconfig gif0 up

# chmod 640 /etc/hostname.*

# vi /etc/static_routes
/sbin/route add -net 192.168.0.0/16 192.168.255.2

# chmod a+x /etc/static_routes

# vi /etc/pf.conf
ext_if="vic0"
int_if="vic1"
set skip on lo
set skip on gif0
match in all scrub (no-df)
match out all scrub (no-df)
match on $ext_if from 192.168.0.0/16 to !192.168.0.0/16 binat-to ($ext_if:0)
block in on $int_if
pass in quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state
pass out quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state

# reboot

GW3

---

# vi /etc/hostname.lo1
!ifconfig lo1 create
!ifconfig lo1 192.168.254.3 netmask 255.255.255.255

# vi /etc/hostname.gif0
!ifconfig gif0 create
!ifconfig gif0 192.168.255.4 netmask 255.255.255.252 192.168.255.3
!ifconfig gif0 tunnel 33.33.33.3 11.11.11.1
!ifconfig gif0 up

# chmod 640 /etc/hostname.*

# vi /etc/static_routes
/sbin/route add -net 192.168.0.0/16 192.168.255.4

# chmod a+x /etc/static_routes

# vi /etc/pf.conf
ext_if="vic0"
int_if="vic1"
set skip on lo
set skip on gif0
match in all scrub (no-df)
match out all scrub (no-df)
match on $ext_if from 192.168.0.0/16 to !192.168.0.0/16 binat-to ($ext_if:0)
block in on $int_if
pass in quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state
pass out quick on $int_if from 192.168.0.0/16 to 192.168.0.0/16 keep state

# reboot

---

As a result, we obtain the following scheme:



And now let's see how it works:

Tracing from the network 192.168.14.0/24
# traceroute 192.168.15.2
traceroute to 192.168.15.2 (192.168.15.2), 64 hops max, 40 byte packets
1 192.168.14.1 (192.168.14.1) 0.437 ms 0.215 ms 0.294 ms
2 192.168.255.2 (192.168.255.2) 0.934 ms 0.674 ms 0.646 ms
3 192.168.15.2 (192.168.15.2) 1.107 ms 1.3 ms 0.920 ms
# traceroute 192.168.16.2
traceroute to 192.168.16.2 (192.168.16.2), 64 hops max, 40 byte packets
1 192.168.14.1 (192.168.14.1) 0.356 ms 0.206 ms 0.192 ms
2 192.168.255.4 (192.168.255.4) 0.748 ms 0.666 ms 0.631 ms
3 192.168.16.2 (192.168.16.2) 0.940 ms 0.892 ms 0.843 ms

Tracing from the network 192.168.15.0/24
# traceroute 192.168.14.2
traceroute to 192.168.14.2 (192.168.14.2), 64 hops max, 40 byte packets
1 192.168.15.1 (192.168.15.1) 0.745 ms 0.208 ms 0.294 ms
2 192.168.255.1 (192.168.255.1) 0.768 ms 0.855 ms 0.677 ms
3 192.168.14.2 (192.168.14.2) 0.933 ms 0.830 ms 0.853 ms
# traceroute 192.168.16.2
traceroute to 192.168.16.2 (192.168.16.2), 64 hops max, 40 byte packets
1 192.168.15.1 (192.168.15.1) 0.450 ms 0.207 ms 0.372 ms
2 192.168.255.1 (192.168.255.1) 0.710 ms 1.290 ms 0.711 ms
3 192.168.255.4 (192.168.255.4) 1.243 ms 1.194 ms 1.42 ms
4 192.168.16.2 (192.168.16.2) 1.341 ms 1.445 ms 1.315 ms

Tracing from the network 192.168.16.0/24
# traceroute 192.168.14.2
traceroute to 192.168.14.2 (192.168.14.2), 64 hops max, 40 byte packets
1 192.168.16.1 (192.168.16.1) 0.480 ms 0.222 ms 0.191 ms
2 192.168.255.3 (192.168.255.3) 0.814 ms 0.775 ms 0.715 ms
3 192.168.14.2 (192.168.14.2) 1.168 ms 1.43 ms 0.861 ms
# traceroute 192.168.15.2
traceroute to 192.168.15.2 (192.168.15.2), 64 hops max, 40 byte packets
1 192.168.16.1 (192.168.16.1) 0.458 ms 0.234 ms 0.269 ms
2 192.168.255.3 (192.168.255.3) 0.780 ms 0.642 ms 0.661 ms
3 192.168.255.2 (192.168.255.2) 1.171 ms 0.989 ms 1.11 ms
4 192.168.15.2 (192.168.15.2) 1.519 ms 1.595 ms 1.333 ms

Well, it seems that everything works. Of course, you can still tie IPsec, but this topic is for another article.