Hi Ian, On 06/13/2012 02:24 PM, Ian Manson wrote: > Hi All; > > I have set up a 3 leg environment for PF, with one management nic, one > inline nic, and one nic directly into the firewall. The desired setup > is that inline-client traffic would traverse PF, exit via the firewall > nic, thus being forced to traverse the firewall before going anywhere > else. Client traffic going via the management vlan is undesireable in > our case, as we wish to apply firewall acls to inline client traffic > in the future. > > In this setup, the passive mode vlan configuration functions happily. > Clients in the 'normalVLAN' get to the right place, recieve DHCP ok, > and route as expected. > > However, it appears inline-clients only recieve return traffic when > the return route on the firewall is set to return via the management > nic. This is incorrect as the routes are divergent, but the PF default > route (and my firewall traffic counters being lopsided) tells me that > the traffic did leave via the pf-to-firewall nic. This says to me > that iptables might need an extra instruction to allow return traffic > on the 'firewall-vlan' nic. Is this possible, or have I done > something else wrong? Any help (including iptables syntaxes!) would > be really appreciated!!
When we introduced the inline mode our assumption was that the outside traffic would be going through management. There's no configuration option to change that (right now) but since we expose the firewall rules and allow for permanent changes in it you'll be able to accomplish your need. Try adding something like: -A FORWARD --in-interface <firewall-interface> --match state --state ESTABLISHED,RELATED --jump ACCEPT below %%filter_forward_inline%% in conf/iptables.conf. It's must easier to debug iptables when the load is very low and with something like: # itpables -L -nv > before generate traffic that should've passed # itpables -L -nv > after $ diff -u before after But again there might be better alternatives. Cheers! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
