On Sun, Mar 9, 2008 at 3:20 PM, Erik Norgaard [EMAIL PROTECTED] wrote:
erik Wilson wrote:
I'm pulling my hair out here. I've been working on this for days without
any success.
I've whittled the ruleset down to the barest possible rules and even
that
doesn't work. I'm at my wits end. I would really appreciate it if
someone
could show me where i'm being a complete and total moron.
Here's the situation. I have a somewhat unique environment. It consists
of
2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which
need
to be accessible from the internet, but not to each other). This runs in
a
VMWare esx server, but that's not really important.
FreeBSD 7.0-RELEASE
em0 = lan (10.0.0.x)
em2 = WAN1 (y.y.y.y) (dhcp)
em3 = WAN2 (x.x.x.x) (static /28 subnet)
the default gateway is on nic2. nic3 will need to forward ip:port's to
various vlans. nic2 is used for all outbound lan traffic (internet).
nic2
will need to failover to nic3 eventually, and nic3 will have to failover
to
nic2 (for outbound, obviously no choice for inbound).
So here's the problem. I can't even get nic2 or nic3 to respond to a
ping
request from outside my network when pf is enabled. I know the
interfaces
are set up correct, as I can ping the default gateways of both
interfaces.
Also, outbound NAT works perfectly on wan1.
Here's my ruleset.
lan_if=em0
wan1_if=em2
wan2_if=em3
set block-policy return
set skip on lo0
nat on $wan1_if from $lan_if:network to any - ($wan1_if)
block in log
pass out log keep state
pass in log inet proto icmp all icmp-type echoreq keep state
pass in log quick on $lan_if
Looks simple enough, right? Why won't it work? All i want is to get a
ping
from both of the firewalls WAN's from outside the network.
Any ideas?
How about the log?
I'll post some log info as soon as I can bring down the network again to do
some testing.
I know you have cut away a lot of rules, but maybe that just makes
things more confusing. Try to nest your rules in the following order:
direction - interface - protocol - src net - dst net - port/type
You should need no out rules if you have in rules with keep state.
At each branch level make a catchup rule at the end with default action
and quick key word to make sure packets don't spill over and get
matched by other rules.
Good advice, thanks. I'm afraid i've tried so many different options and
variations to get this to work that it's not as pretty as it should be. I
got some of these rules from various examples posted on the web, and tweaked
them into unrecognizability ;) Do you think that Josh is right about
needing a route-to rule for the second WAN interface?
Since you're handing out best practices ;) Is it better to use a nat pass
or rdr pass rule than seperate nat/rdr and pass statements? Why?
I think my biggest frustration is not finding a single place that is
detailed enough about things. I've rad the book of pf, the man pages, the
handbooks, etc.. they all give pieces of the puzzle. Maybe once i master
this i'll work on a pf bible ;)
Hopefully this will help you pin down where things go wrong.
Cheers, Erik
Cheers yourself Erik ;)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]