OpenBSD Policy Routing for incoming connections over secondary ISP

Here is an example configuration that allows an OpenBSD firewall with 2 internet connections to use the correct connection based on the ip address that accepts the connection. Very useful for OOB (Out of Band) management when you have multiple IP connections to a network with different ip assignments from the 2 providers.

This firewall is connected to a t1 as its primary (default route facing) internet connection. In addition there is a FIOS connection that terminates in a Cisco ASA. The inside ports of the ASA and the OpenBSD box are on the same LAN. A cisco 3700 router acts as the internal router that connects to the rest of the network.

$fwinip: inside ip of the bsd fw

$int_if: inside interface of the bsd fw

172.16.8.1: ip address of the cisco router

All traffic sent to the cisco router (8.1) is defaulted out the FIOS connection and the Cisco ASA firewall. There is a static nat on the ASA that allows incoming ssh over port 2200 to hit the inside ip address of the OpenBSD firewall.

In the event that the t1 is down, we can still ssh into the OpenBSD firewall remotely via the public IP of the FIOS connection and perform troubleshooting and diagnostics on the t1 line (that router is serial consoled into the BSD box). Even though the default gateway on the OpenBSD box is pointed out the t1 provider, all ssh connections and pings (icmp echo requests) that are receieved from the NAT on the FIOS connection will have their replies (this is what the reply-to statement does) sent back out the LAN over to the router and then to the ASA via the reply-to policy routing config:

These rules should be placed at the top of the pf.conf:

pass in quick on $int_if reply-to ($int_if 172.16.8.1) proto icmp to $fwinip keep state
pass in quick on $int_if reply-to ($int_if 172.16.8.1) proto tcp to $fwinip port 2200 \

  keep state

pass in on $int_if reply-to ($int_if 172.16.8.1) to $fwinip keep state