From owner-freebsd-questions@FreeBSD.ORG Tue Dec 23 17:21:22 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20D2A106567D for ; Tue, 23 Dec 2008 17:21:22 +0000 (UTC) (envelope-from geoff@apro.com.au) Received: from mail.ricksure.com.au (mail.ricksure.com.au [203.98.89.150]) by mx1.freebsd.org (Postfix) with ESMTP id 7941E8FC18 for ; Tue, 23 Dec 2008 17:21:20 +0000 (UTC) (envelope-from geoff@apro.com.au) Received: from dsl-202-173-129-2.nsw.westnet.com.au [202.173.129.2] by mail.ricksure.com.au with SMTP; Wed, 24 Dec 2008 04:20:58 +1100 From: Geoff Roberts Organization: Australian Projects To: "Michael K. Smith" Date: Wed, 24 Dec 2008 04:21:01 +1100 User-Agent: KMail/1.9.10 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200812240421.01966.geoff@apro.com.au> X-Declude-Sender: geoff@apro.com.au [202.173.129.2] X-Declude-Spoolname: 50228115.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.64 "http://www.declude.com/x-note.htm" X-Declude-Scan: Outgoing Score [0] at 04:21:00 on 24 Dec 2008 X-Declude-Tests: Whitelisted X-Country-Chain: X-Declude-Code: 0 X-Declude-Recipcount: 2 Organization: Declude, Inc. X-Helo: bsd7desktop.home.wollongong X-RevDNS: Cc: FreeBSD Questions Subject: Re: How can I link two separate internal networks to two separate external networks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: geoff@apro.com.au List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2008 17:21:22 -0000 Hi Mike, On Tue, 23 Dec 2008 04:14:51 am you wrote: > I think this will work. Let's assume: > > $vlan10_if -> macro for your tagged VLAN 10 interface > $vlan20_if -> macro for your tagged VLAN 20 interface > $vlan50_if -> macro for your tagged VLAN 50 interface > $vlan60_if -> macro for your tagged VLAN 60 interface > $vlan50_gw = 10.10.10.9 > $vlan60_gw = 10.10.10.13 > > pass in on $vlan10_if route-to ($vlan50_if $vlan50_gw) from any to any > pass in on $vlan20_if route-to ($vlan60_if $vlan60_gw) from any to any > > That would be in conjunction with your NAT's and any RDR's as well. Spot on! Thanks for that, it worked like a charm. I have a couple more questions below. Firstly, just for completeness, I've listed what the NAT and RDRs look like for others that may be interested. $vlan10_server -> macro for IP address of server on vlan10 nat on $vlan50_if proto {tcp udp icmp} from $vlan10_if to any -> ($vlan50_if) rdr on $vlan50_if proto tcp from any to ($vlan50_if) port 80 -> $vlan10_server port 80 pass in on $vlan50_if inet proto tcp from any to $vlan10_server port 80 pass out on $vlan50_if inet proto { tcp udp icmp } from ($vlan50_if) to any Remaining questions: a) I found I didn't need a reply-to statement on the redirect for the vlan50 interface above. Could someone elaborate or point to a URL that might help explain a little more why this wasn't needed and in what circumstance I might need a reply-to statement. There isn't much about reply-to in the pf pdf. Since my default route is on vlan60 as opposed to vlan50 where the redirect is, you'd think I need a reply-to at first glance. Is the single route-to (pass in on $vlan10_if route-to ($vlan50_if $vlan50_gw) from any to any) covering me here? If I had a redirect such as: rdr on $vlan50_if proto tcp from any to ($vlan50_if) port 80 -> $vlan20_server port 80 would I need a reply-to? b) I've also found I needed to assign IP addresses (doesn't matter what they are) to the actual interfaces the VLANs sit on within the FreeBSD box (int0 and ext0). If not, things don't appear work. Should this be necessary, and if so why? If I shouldn't need IP addresses on the actual interfaces themsleves I've probably mucked up someting else in the pf rules :) For example: ext0 (192.168.1.1) | -------------- | | vlan50 vlan60 Thanks again for your help, Geoff