Hello,
My pf.conf doesn't work for an OpenVPN connection: I don't know why...
My VPN works fine with pf disabled, but when I enable PF... this is the response
PING 192.168.6.102 (192.168.6.102): 56 data bytes
ping: sendto: No route to host
ping: wrote 192.168.6.102 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 192.168.6.102 64 chars, ret=-1
--- 192.168.6.102 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
I dont know what I am doing wrong.
Thsnks in advance,
Helio.
IFCONFIG
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:c0:df:e0:d8:de
media: Ethernet autoselect (10baseT)
inet 192.168.41.101 netmask 0xffffff00 broadcast 192.168.41.255
inet6 fe80::2c0:dfff:fee0:d8de%ne3 prefixlen 64 scopeid 0x1
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:50:04:46:60:06
media: Ethernet autoselect (none)
status: no carrier
inet 192.168.4.102 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::250:4ff:fe46:6006%xl0 prefixlen 64 scopeid 0x2
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 --> 192.168.100.2 netmask 0xffffffff
PF.CONF
# macros
int_if = "xl0"
ext_if = "ne3"
icmp_types = "{ echorep, echoreq, timex, unreach }"
# GATEWAY_A = Machine A External IP
# GATEWAY_B = Machine B External IP
# NETWORK_A = Machine A Internal Network
# NETWORK_B = Machine B Internal Network
GATEWAY_A = "a.b.c.d/32"
GATEWAY_B = "w.x.y.z/32"
NETWORK_A = "192.168.4.0/24"
NETWORK_B = "192.168.6.0/24"
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> $ext_if
pass in quick on $ext_if proto tcp from any to any port=22
# filter rules
block in log on { tun0, ne3} all
block out on { tun0, ne3 } all
pass quick on lo0 all
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type
$icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto { udp, icmp } all keep state
# VPN Rules
# Passing in encrypted traffic from security gateways
pass in quick on $ext_if from $GATEWAY_B to $GATEWAY_A
pass out quick on $ext_if from $GATEWAY_A to $GATEWAY_B
# Need to allow ipencap traffic on enc0.
pass in quick on tun0 all
# Passing in traffic from the designated subnets.
pass in quick on tun0 from $NETWORK_B to $NETWORK_A
pass out quick on tun0 from $NETWORK_A to $NETWORK_B
# Passing in isakmpd(8) traffic from the security gateways
pass in quick on $ext_if proto udp from $GATEWAY_B to $GATEWAY_A port 1194
pass out quick on $ext_if proto udp from $GATEWAY_A to $GATEWAY_B port 1194
Thanks again,
Helio.
