From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 08:32:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A2CE106568A for ; Mon, 28 Apr 2008 08:32:06 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (mail.violetlan.net [80.81.242.7]) by mx1.freebsd.org (Postfix) with ESMTP id AAAC48FC2A for ; Mon, 28 Apr 2008 08:32:05 +0000 (UTC) (envelope-from freebsd@violetlan.net) Received: from mail.violetlan.net (localhost [127.0.0.1]) by mail.violetlan.net (Postfix) with ESMTP id 95E8511460 for ; Mon, 28 Apr 2008 08:58:12 +0100 (BST) Received: from www.violetlan.net (mbali.violetlan.net [10.0.100.150]) by mail.violetlan.net (Postfix) with ESMTP id 6379511426 for ; Mon, 28 Apr 2008 08:58:12 +0100 (BST) Received: from 217.41.34.61 (SquirrelMail authenticated user freebsd@violetlan.net) by www.violetlan.net with HTTP; Mon, 28 Apr 2008 08:57:06 +0100 (BST) Message-ID: <56784.217.41.34.61.1209369426.squirrel@www.violetlan.net> Date: Mon, 28 Apr 2008 08:57:06 +0100 (BST) From: "Reinhold" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: load balancing and bridging ath0 with re0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 08:32:06 -0000 Hi I'm having a bit of problem with getting my wlan to access the lan. I have created a bridge and its working in that both wlan and lan can access the internet perfectly well but they can't see each other. When I disable pf then they can access each other. The problem is that I'm doing load-balancing so when I disable pf my internet stops working. Here is my ifconfig rl0 -> wan1 rl1 -> wan2 re0 -> lan ath0 -> wlan ath0: flags=8943 metric 0 mtu 2290 ether 00:0b:6b:0b:62:c8 media: IEEE 802.11 Wireless Ethernet autoselect (autoselect ) status: associated ssid something channel 2 (2417 Mhz 11g) bssid 00:0b:6b:0b:62:c8 authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1 rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:80 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 metric 0 mtu 1500 options=8 ether 00:04:a7:09:81:7f media: Ethernet autoselect (100baseTX ) status: active re0: flags=8943 metric 0 mtu 1500 options=98 ether 00:04:a7:05:88:c0 media: Ethernet autoselect (1000baseTX ) status: active plip0: flags=108810 metric 0 mtu 1500 pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 metric 0 mtu 1500 ether 92:52:90:af:3f:07 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: re0 flags=143 member: ath0 flags=143 ng0: flags=88d1 metric 0 mtu 1485 inet 111.222.333.444 --> 112.221.331.441 netmask 0xffffffff ng1: flags=88d1 metric 0 mtu 1485 inet 22.333.444.555 --> 121.212.313.414 netmask 0xffffffff and here is my pf rules # pass on unfiltered interfaces # pass quick on $unfiltered # default deny # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # silently drop broadcasts (ADSL noise) # block in quick on $ext_if1 inet from any to 255.255.255.255 block in quick on $ext_if2 inet from any to 255.255.255.255 # bruteforce # block quick from to any # block some known-bad ports without logging # block return-rst in quick on $ext_if1 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if1 proto udp from any to any port { 137, 138, 139, 1434 } block return-rst in quick on $ext_if2 proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if2 proto udp from any to any port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if1 inet from $unroutable to any block in log quick on $ext_if2 inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if1 inet from !(ng0) to any block out log quick on $ext_if2 inet from !(ng1) to any # OUT GOING ROUTING # # HTTS OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 443 keep state # SSH OVER WAN1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 4424 keep state pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to any port = 22 keep state # BLA OVER WAN1 for user1 pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp from $lan_net to some-ip-address keep state # # LOAD BALANCING # # pass all outgoing packets on internal interface pass out log on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any keep state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto { udp, icmp } from $lan_net to any keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any I also can't see why or where its blocking with tcpdump. Any help will be appreciated. Regards Reinhold