I have tried doing a route-to rule but it makes no difference, I set it
up like this:
pass in quick on $ext_if route-to { ( $int_if (IP of host in DMZ ) }
from any to (IP of host in DMZ)
But my router still does not pass the packets onto the host in the DMZ,
I haven't tried a reply-to rule but I would have thought that the
route-to rule should tell the router to pass all packets with the
destination (IP of host in DMZ) on to (IP of host in DMZ).
For example even when this route-to rule is active and I try to ping a
host in the DMZ from the outside net, it gets no further than the
routers ext_if
It seems that any packet that comes into ext_if destined for any IP in
the DMZ does not get any further, even with route-to rule, which I don't
think is needed as all of the hosts are in the router's routing table
and are on the same network as the router.
Thanks,
Charlie
Daniel Anderson wrote:
Instead of giving you the obligatory "man pf.conf" reply, I will do one better
and reference an old reply I posed to the list with a sample pf.conf where
someone asked basically the same thing. I omitted the part that matters in
this example conf, but explain what you need to insert to get it to fly.
http://marc.info/?l=openbsd-misc&m=120665186412690&w=2
It all can be found under the man page on searching for reply-to or route-to.
This worked for me, so if anybody has got a more elegant means of doing it
they should post.
-----------------
On Monday 20 October 2008 04:20:15 am Charlie Clark wrote:
Hi,
I am trying to setup an openbsd router but are having a big problem
getting it to work.
Here is the scenario:
The router has 3 public IP's, with 2 internet connections and sits just
outside a DMZ. Behind the router there are a number of hosts with public
IP's (DMZ).
All of the interfaces on the router are on different subnets.
Let's say that the 3 interfaces are:
int_if = the interface which is directly connected to the DMZ
ext_if = the first internet connection (NOTE this ISP is the ISP which
allocated the IP's in the DMZ so there is no natting done on this
interface) ext2_if = the second internet connection (NOTE there is
natting on this interface so everything works fine here)
I have setup aproxyd to answer arp requests on ext_if for all of the
IP's in the DMZ using the layout:
proxy (IP) (MAC of ext_if)
If I ping any IP on the net from a host in the DMZ and do a tcpdump on
the router at the same time, I can see the packet coming in int_if, then
going out ext_if, then the reply coming back in ext_if but then
disappearing. It doesn't seem to be passing the packets, destined for
the hosts in the DMZ, on to them.
Is there something I am missing here?
The filter rules look fine and nothing is being blocked
I would appreciate any help.
Thanks,
--
Charlie Clark
Network Engineer
Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK
Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/
Lemon Computing is a limited company registered in England & Wales under
Company No. 03697052
