PF and routing

Thu, 25 Aug 2005 17:14:03 -0700

Hi people, im having some problems implementing a firewall/router for my company. the firewall has two interfaces, one to local lan and one to the isp's router (static ip). We have local and remote offices, interconnected by a wan link (cisco routers). the local office is configured in the 192.168.10.x network, default gateway 192.168.10.100 (firewall's internal ip), remote office is configured in 192.168.20.x network, default gateway 192.168.20.1 (remote router's internal ip). local firewall will be providing internet access to both networks.this is working flawlessly, my problem is the routing between local and remote office, i want the firewall route between both networks and internet.ie. 

            INTERNET
               ^
               |
            +----+
            | PF |
            +----+
          .100 |
               |
               |
 LOCAL OFFICE  |                  REMOTE OFFICE
 192.168.10.x  |      +--+   +--+ 192.168.20.x
  --------------------|R1|---|R2|--------------
     |         |   .1 +--+ ^ +--+ .1    |
  .2 |      .3 |           |         .6 |
   +---+     +---+         |          +---+
   |ws1|     |ws2|         |          |ws3|
   +---+     +---+       SERIAL       +---+
                          LINK


tipical ws1 ip configuration:
 IP Address. . . . . . . . . . . . : 192.168.10.2
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.10.100

tipical ws3 ip configuration
 IP Address. . . . . . . . . . . . : 192.168.20.6
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.20.1

netstat -rn on the firewall

Internet:
Destination        Gateway            Flags     Interface
default            200.13.161.65      UGS       fxp0
127/8              127.0.0.1          UGRS      lo0
127.0.0.1          127.0.0.1          UH        lo0
192.168.10/24      link#2             UC        fxp1
192.168.20/24      192.168.10.1       UGS       fxp1

this is my pf.conf

###########
## pf.conf
###########

# interfaces
if_net      =  "fxp0"    # internet
if_loc      =  "fxp1"    # red local

# groups
table <loc_nets> { 192.168.10.0/24, 192.168.20.0/24 }

# Options
set block-policy drop
scrub in all

# NAT
nat pass on $if_net from <loc_nets> to any -> $ip_pub

# Packet Filtering
# default policy
block log all label "DEFAULT BLOCK:"

# trusted interfaces
pass in quick on lo0 all
pass out quick on lo0 all

## FILTER RULES
pass in  quick on $if_loc from <loc_nets> to any flags S/SA keep state


If ping from ws1 to ws2 i get Request timed out, trying to solve the 
problem i addedd this line to pf.conf:


pass out quick on $if_loc from <loc_nets> to <loc_nets> keep state


Is this lines really necesary or am i missing something, may be in 
sysctl.conf?


sorry for the endlessly email, but i wanted to make clear,
thanks























					Reply via email to