Turns out the problem had nothing to do with OpenBSD.
For some reason one of the DSM routers (ZyXEL P-2601HN-F1)
needed an explicit static return route, while the other,
(FRITZ!Box Fon WLAN 7360) didn't.
Everything works fine after adding the return route.
Many thanks to everybody who responded!
Julf
On 14/01/13 18:36, Johan Helsingius wrote:
> My firewall box has 3 net interfaces:
>
>
> em0 (internal network):
> inet 172.24.42.254 netmask 0xffffff00 broadcast 172.24.42.255
> em1 (internet):
> inet 172.24.40.3 netmask 0xfffffc00 broadcast 172.24.43.255
> em2 (wifi sandbox):
> inet 172.24.42.223 netmask 0xffffffc0 broadcast 172.24.42.255
>
> Attached to em1 I have 2 ADSL modems, 172.24.40.1 and 172.24.40.2
>
> Default route (set through /etc/mygate) is 172.24.40.1
>
> The firewall itself ca reach both ADSL modems, but machines on
> the internal network can only reach 172.24.40.1. Here are
> traceroutes from a host inside the em0 network:
>
> traceroute to 172.24.40.1 (172.24.40.1), 30 hops max, 60 byte packets
> 1 172.24.42.254 (172.24.42.254) 0.598 ms 0.685 ms 0.787 ms
> 2 172.24.40.1 (172.24.40.1) 1.568 ms 1.560 ms 1.719 ms
>
> traceroute to 172.24.40.2 (172.24.40.2), 30 hops max, 60 byte packets
> 1 172.24.42.254 (172.24.42.254) 1.251 ms 1.243 ms 1.235 ms
> 2 * * *
>
> This is with pf disabled.
>
> As the packets do reach the firewall on em0, shouldn't they be
> forwarded to em1? (yes, net.inet.ip.forwarding=1)
>
> Any advice/ideas/guidance appreciated...
>
> Julf
