I have been running OpenBSD as my home "router" for a couple of years
now and everything has worked well thus far. However this evening I
added a second network interface to my router because I would like to
add some hosts for testing on a separate network segment and am
running into some difficulties.
My network is configured as follows:
gem0 - DHCP address and link to internet
rl0 - 10.66.66.1/24 - original home network segment
rl1 - 10.66.67.1/24 - new test network segment
from a host on the 10.66.66.1/24 network I am able to connect to
10.66.67.1 but no other host on that network segment. However I am
able to connect to any host on this segment from my openbsd router.
Here is my pf.conf:
#pf.conf jcsmith 2011-12-04
#macros
int_if0="rl0" #internal network interface for home network 10.66.66.0/24
int_if1="rl1" #internal networl interface for test network 10.66.67.0/24
ext_if="gem0" #external (internet) network interface
allowed_services = "{ ssh }"
allowed_icmp = "{ echoreq, unreach }"
#options
set block-policy return
set loginterface $ext_if
set skip on lo
#match rules for nat
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)
#filter rules
block in log #block all incomming traffic
antispoof quick for { $int_if0 $ext_if $int_if1 } label AntiSpoofFailed
pass in on $int_if0 # pass all incomming traffic on our internal interface
pass in on $int_if1 # pass all incomming traffic on our internal
interface from the test network
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$allowed_services # allow selected services in from the net
pass in on $ext_if inet proto icmp all icmp-type $allowed_icmp #allow
some icmp traffic in from the net
pass out quick # allow outgoing traffic
I'm sure I'm just missing a quick setting in my pf configuration or
somewhere else on the box.
Any help is greatly appreciated.
Thanks,
--
Josh Smith
KD8HRX
email/jabber:B [email protected]
phone:B 304.237.9369(c)
