Hi Max, > > You are supposed to have a NAT rule somewhere. Please let us know the complete > ruleset (including translation rules) and include match counters so that > people can figure if a certain rule is matched at all (pfctl -vv -sn -sr).
This was my complete ruleset, as I switched from my default ruleset in order to debug the problem. ext_if="ed0" int_if="vr0" tun_if="tun0" internal_net="192.168.0.0/24" set loginterface $tun_if #nat on $tun_if from $internal_net to any -> ($tun_if) #default block block return log-all pass on $tun_if pass on $ext_if pass on $int_if -------------------------------------- pfctl -vv -sn -sr @0 block return log-all all [ Evaluations: 2171 Packets: 1130 Bytes: 69021 States: 0 ] @1 pass on tun0 all [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 ] @2 pass on ed0 all [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 ] @3 pass on vr0 all [ Evaluations: 2171 Packets: 1041 Bytes: 65738 States: 0 ] > Make sure that the NAT rule has dynamic address tracking (as I think you get a > dynamic IP from you ISP). The rule should look something like: > nat on tun0 from $internalnet to any -> (tun0) I use the NAT from ppp, but I think that this is not related, as the problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STABLE of yesterday). The firewall itself (and everything behind it) cannot connect over ppp to external servers when the default block rule is activated. When I deactivate the rule, everything runs smoothly. > Also note, that we have a pf related mailinglist on FreeBSD, called > [EMAIL PROTECTED] You might want to subscribe and take the discussion > there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf Thanks, I will suscribe. Should we change with this discussion the freebsd-centrinc mailinglist? Jonathan Weiss
