Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Jul 2006 18:42:26 -0400
From:      Mark Moellering <mark@msen.com>
To:        freebsd-questions@freebsd.org
Subject:   3 NIC firewall help
Message-ID:  <200607031842.27083.mark@msen.com>

next in thread | raw e-mail | index | archive | help
--Boundary-00=_T1ZqE66ZrHZo+jX
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello All,

	I have a problem which I think must be simple, I just can't figure out 
exactly what I need to do.  I have a gateway / firewall (freebsd 6.1) with 3 
nic cards.  I just added the third card, rl1, which I have attached to a 
wireless access point.  
	I can ping the access point from the firewall, but not from the rest of the 
internal (wired) network!!??  My wired network is 192.168.1 and the wireless 
access point is currently the default 192.168.0.229.  rl1 is set to 
192.168.0.210
	Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway.  
Any and all help is appreciated.

Thanks in advance

Mark Moellering

--Boundary-00=_T1ZqE66ZrHZo+jX
Content-Type: text/plain;
  charset="us-ascii";
  name="firewall_rc.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="firewall_rc.conf"


# -- sysinstall generated deltas -- # Thu May 11 16:26:43 2006
# Created: Thu May 11 16:26:43 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
linux_enable="YES"
moused_enable="YES"
usbd_enable="YES"

#Internal Wired Network
ifconfig_bge0="inet 192.168.1.1  netmask 255.255.255.0"
hostname="Myhostname"

#Wireless Network
ifconfig_rl1="inet 192.168.0.210 netmask 255.255.255.0"

#External Gateway Interface
ifconfig_rl0="DHCP"
inetd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="var/log/pflog"


--Boundary-00=_T1ZqE66ZrHZo+jX
Content-Type: text/plain;
  charset="us-ascii";
  name="firewall_script"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="firewall_script"

# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
int_if = "bge0"
ext_if = "rl0"
wint_if = "rl1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

        
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wint_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021


# filter rules
block all

#pass in all

pass quick on lo0 all

block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

#allow access to web server
#pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \
   flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass in on $wint_if from $wint_if:network to any keep state
pass out on $wint_if from any to $wint_if:network keep state

pass in on $wint_if from $int_if:network to any keep state
pass in on $int_if from $wint_if:network to any keep state

pass out on $wint_if from any to $int_if:network keep state
pass out on $int_if from any to $wint_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy keep state

--Boundary-00=_T1ZqE66ZrHZo+jX
Content-Type: text/plain;
  charset="us-ascii";
  name="netstat_output"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="netstat_output"

Script started on Mon Jul  3 18:49:59 2006
> netstat -r=0D=0D
Routing tables=0D
=0D
Internet:=0D
Destination        Gateway            Flags    Refs      Use  Netif Expire=
=0D
default            c-68-61-202-129.hs UGS         0       40    rl0=0D
68.61.202.128/25   link#2             UC          0        0    rl0=0D
c-68-61-202-129.hs 00:05:5f:e9:8c:a9  UHLW        2        0    rl0   1199=
=0D
localhost          localhost          UH          0        0    lo0=0D
192.168.0          link#3             UC          0        0    rl1=0D
192.168.0.229      00:0f:b5:7a:14:82  UHLW        1       10    rl1   1089=
=0D
192.168.1          link#1             UC          0        0   bge0=0D
192.168.1.2        00:09:5b:20:aa:23  UHLW        1       30   bge0   1107=
=0D
=0D
Internet6:=0D
Destination        Gateway            Flags      Netif Expire=0D
localhost.psyberat localhost.psyberat UH          lo0=0D
fe80::%bge0        link#1             UC         bge0=0D
fe80::240:f4ff:fe4 00:40:f4:47:23:54  UHL         lo0=0D
fe80::%rl0         link#2             UC          rl0=0D
fe80::2e0:7dff:fec 00:e0:7d:c1:74:44  UHL         lo0=0D
fe80::%rl1         link#3             UC          rl1=0D
fe80::2e0:7dff:fea 00:e0:7d:a8:78:8e  UHL         lo0=0D
fe80::%lo0         fe80::1%lo0        U           lo0=0D
fe80::1%lo0        link#6             UHL         lo0=0D
ff01:1::           link#1             UC         bge0=0D
ff01:2::           link#2             UC          rl0=0D
ff01:3::           link#3             UC          rl1=0D
ff01:6::           localhost.psyberat UC          lo0=0D
ff02::%bge0        link#1             UC         bge0=0D
ff02::%rl0         link#2             UC          rl0=0D
ff02::%rl1         link#3             UC          rl1=0D
ff02::%lo0         localhost.psyberat UC          lo0=0D
> exit=0D=0D
exit=0D

Script done on Mon Jul  3 18:50:07 2006

--Boundary-00=_T1ZqE66ZrHZo+jX--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607031842.27083.mark>