Basically i am just trying to verify whether i actually do need the match out
statements in pf.conf in order for both Sides on each Network Cards to talk to
each other. Say i do not, and it should all just work, does the fact that it
does not work suggest that i most likely have a routing issue?
best regards,
D
On May 17, 2011, at 9:29 PM, David Gwynne wrote:
> hey david,
>
> pf is run twice on packets going through a box, once before the network
stack
> and again as it leaves it. this means you have to allow a packet in one
side
> as well as when it goes out the other.
>
> dlg
>
> On 17/05/2011, at 10:16 PM, David Schulz wrote:
>
>> Hi all,
>>
>> i have a LAN within a LAN and the setup is as follows:
>>
>> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21
>>
>> My goal is to get both Sides talking to each other (lets start with making
>> them be able to ping each other). I got it working by using the following
>> pf.conf, however i thought i should not need to have those match out
>> statements, because OpenBSD routes packets between interfaces by default
as
>> long sysctl net.inet.ip.forwarding=1 is set.
>>
>> From inside my OpenBSD Box i can ping Devices on either Side just fine.
From
> a
>> machine sitting on either Side, i can ping the OpenBSD Box just fine. But
i
>> simply cannot get Side A Machines to talk to Side B Machines unless i
>> uncomment the two below match out statements inside my pf.conf.
>>
>> If someone could share some insight, id be most thankful.
>>
>> regards,
>> D
>>
>> Here my simplified pf.conf which again does not work unless i uncomment
the
>> two match out Rules:
>> ++++++++ pf.conf
>> int_if="sis0"
>> ext_if="sis1"
>>
>> icmp_types = "{ echoreq, unreach }"
>>
>> set require-order yes
>> set block-policy return
>> set optimization normal
>> set loginterface $ext_if
>>
>> match in all scrub (no-df)
>>
>> set skip on lo
>>
>> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
>> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)
>>
>> block log all
>>
>> #Simplified for 'making it work purposes'
>> pass out quick
>> pass in quick
>>
>> antispoof quick for { lo0 $int_if $ext_if } inet
>>
>> # allow ICMP
>> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
> $icmp_types
>> keep state
>> ++++++++
>>
>> ++++++++ route -n
>> cndlne001'root(~)> route -n show | grep default
>> default 10.1.3.1 UGS 0 23106 - 8
> sis0
>>
>> cndlne001'root(~)> route -n show | grep 192.168.1
>> 192.168.1/24 link#2 UC 2 0 - 4
> sis1
