Sorry for drudging up this issue again, but it appears I don't have the solution after all. For anyone that missed my previous post, I'm trying to pass broadcast traffic from a wireless segment to a wired one. All other traffic works fine, but I'd like to get SMB/NMB browsing working for this installation.
The wireless client sends all traffic via IPsec to the OpenBSD 3.3 gateway (including LAN traffic). For the time being, I'm ignoring enc0 and only filtering/keeping state on $int_if for ESP and UDP/500. This works great for TCP/UDP. I use the following NAT rules to forward traffic from gateway back to the wired segment: nat on $int_if from $int_net to $int_net -> ($int_if) no nat on $int_if from ($int_if) to $int_net And the filtering: pass in quick on $int_if proto esp from $int_net to ($int_if) keep state pass in quick on $int_if proto udp from $int_net to ($int_if) port 500 keep state Unfortunately, traffic destined for the broadcast address (192.168.0.255) is not being translated on $int_if and passed on. It simply disappears. I've dumped the traffic on enc0, $int_if, and the target server on the wired segment to confirm this. I've tried to NAT and filter on enc0, but I'm not seeing any improvement. I'm mildly confused as to the activity that occurs when a packet comes across $int_if versus enc0. What interface is preferred for filtering/redirection? I believe that I read it somewhere in the manpages to avoid filtering on both, but I'm still foggy on the technical details. Due to its nature, I would imagine that broadcast traffic is inherently difficult to keep state on (if not impossible). Is this why PF appears to be dropping these packets? Is there anything that can be done with any of the *route* options? Any ideas at all? TIA, -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
