Hi, > I have set up a 3 leg environment for PF, with one management nic, one > inline nic, and one nic directly into the firewall. The desired setup > is that inline-client traffic would traverse PF, exit via the firewall > nic, thus being forced to traverse the firewall before going anywhere > else. Client traffic going via the management vlan is undesireable in > our case, as we wish to apply firewall acls to inline client traffic > in the future. > > In this setup, the passive mode vlan configuration functions happily. > Clients in the 'normalVLAN' get to the right place, recieve DHCP ok, > and route as expected. > > However, it appears inline-clients only recieve return traffic when > the return route on the firewall is set to return via the management > nic. This is incorrect as the routes are divergent, but the PF default > route (and my firewall traffic counters being lopsided) tells me that > the traffic did leave via the pf-to-firewall nic. This says to me > that iptables might need an extra instruction to allow return traffic > on the 'firewall-vlan' nic. Is this possible, or have I done > something else wrong? Any help (including iptables syntaxes!) would > be really appreciated!! Ok. Normally inline is designed to NAT the traffic on the management interface. Changing this behavior is not simple.
Here is what I would try. Switch the type=management on your FW interface instead in pf.conf. That way the outgoing traffic will go out the right interface. Now, to manage the server itself. If your PC connects straight from the management network to PF, you have nothing to do (no fency static routes) except to adjust the iptables.conf to allow everything on this management interface. Otherwise, add return routes on the PF server. Be aware that the inline users won't be able to reach those subnets. Hope it helps. -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
