From owner-freebsd-pf@FreeBSD.ORG Wed Jan 12 03:20:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B0B4106564A for ; Wed, 12 Jan 2011 03:20:52 +0000 (UTC) (envelope-from lists@stringsutils.com) Received: from manuel.natserv.net (p65-147.acedsl.com [66.114.65.147]) by mx1.freebsd.org (Postfix) with ESMTP id CE0028FC18 for ; Wed, 12 Jan 2011 03:20:51 +0000 (UTC) Received: from shelca (zoraida.natserv.net [66.114.65.147]) by manuel.natserv.net (Postfix) with ESMTP id B4ED9F927 for ; Tue, 11 Jan 2011 22:05:34 -0500 (EST) Message-ID: X-Mailer: http://www.courier-mta.org/cone/ From: Francisco Reyes To: freebsd-pf@freebsd.org Date: Tue, 11 Jan 2011 22:05:34 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="US-ASCII" Content-Disposition: inline Content-Transfer-Encoding: 7bit Subject: Nat + static routes using PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2011 03:20:52 -0000 I am trying to setup a machine as a gateway. The current setup is: T1 192.168.1.1 | | ---> Switch <--- users in 192.168.1.0/24 | | --\ FreeBSD Machine --/ | | Time Warner 192.168.0.1 I am trying to get most of the traffic to go through Time Warner so I set that as the default gateway. I then have a handfull of static routes I setup and want to go through the T1. I modified the setup at this URL http://www.bsdguides.org/guides/freebsd/networking/ho_router_pf.php and so far have the /etc/pf.conf below. Machines in the 192.168.1.0/24 subnet are going through Time Warner, but the static routes are failing. Do I need rules for the T1's IP? Current setup: ### macros # internal and external interfaces (run 'ifconfig' to find interfaces) int_if = "em0" ext_if = "re0" # ping requests icmp_types = "echoreq" ### options set loginterface $ext_if set skip on lo0 ### Scrub scrub in all ### nat/rdr # NAT traffic from internal network to external network through external # interface nat on $ext_if from $int_if:network to any -> ($ext_if) # allow in ping replies pass in inet proto icmp all icmp-type $icmp_types keep state # allow all traffic from internal network to internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state # allow all traffic out via external interface pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Any pointers greatly appreciated.