From owner-freebsd-questions@FreeBSD.ORG  Sun Mar  9 13:47:00 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B86F21065670
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Mar 2008 13:47:00 +0000 (UTC)
	(envelope-from erik.mlists@gmail.com)
Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.188])
	by mx1.freebsd.org (Postfix) with ESMTP id 8673D8FC13
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Mar 2008 13:47:00 +0000 (UTC)
	(envelope-from erik.mlists@gmail.com)
Received: by rv-out-0910.google.com with SMTP id g13so956443rvb.43
	for <freebsd-questions@freebsd.org>;
	Sun, 09 Mar 2008 06:47:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	bh=1v02F3pUDNI3OUPMVniHIN6Fnia8qKWfFeKRXl3y2i8=;
	b=BnqyDPeFsqqk32SVwkFr/E8JKk40ecnjwkHdpKHmFI6wKkGBZrYzLr1Lp4qLjlMmLEOsb3/ZTL6uN2kd38e2zjru9Ue/SYn86Q9QE7wIN5kyP1+9MR/uXijWROjwVdTjByc1x6f0LEzv6A2ERjZXeG4EkvzLiB8Iu3hSAO/bh6c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=wa9G5AgEeNS76gXyrlTJN5ACt7mWVpqHyJrxMEb33YwJ8ZZUq07GpJJifMM4Yq9rUKlcPsLxYnpJJgKVzYwokOyAZvvxm4yvScCLU5KuztZadpe6TbCIS4JujcrEmkt84nks9eDHVEaLD6SMX/zsqlShgW8pVdo3I8zOMaoXYPc=
Received: by 10.141.193.1 with SMTP id v1mr2413186rvp.73.1205068927413;
	Sun, 09 Mar 2008 06:22:07 -0700 (PDT)
Received: by 10.140.141.10 with HTTP; Sun, 9 Mar 2008 06:22:07 -0700 (PDT)
Message-ID: <f5bda4b80803090622n607853fey965b814c772080be@mail.gmail.com>
Date: Sun, 9 Mar 2008 09:22:07 -0400
From: "erik Wilson" <erik.mlists@gmail.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Help with pf ruleset
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2008 13:47:00 -0000

I'm pulling my hair out here. I've been working on this for days without
any success.

I've whittled the ruleset down to the barest possible rules and even that
doesn't work. I'm at my wits end. I would really appreciate it if someone
could show me where i'm being a complete and total moron.

Here's the situation. I have a somewhat unique environment. It consists of
2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need
to be accessible from the internet, but not to each other). This runs in a
VMWare esx server, but that's not really important.

FreeBSD 7.0-RELEASE

em0 = lan (10.0.0.x)
em2 = WAN1 (y.y.y.y) (dhcp)
em3 = WAN2 (x.x.x.x) (static /28 subnet)

the default gateway is on nic2. nic3 will need to forward ip:port's to
various vlans. nic2 is used for all outbound lan traffic (internet). nic2
will need to failover to nic3 eventually, and nic3 will have to failover to
nic2 (for outbound, obviously no choice for inbound).

So here's the problem. I can't even get nic2 or nic3 to respond to a ping
request from outside my network when pf is enabled. I know the interfaces
are set up correct, as I can ping the default gateways of both interfaces.

Also, outbound NAT works perfectly on wan1.

Here's my ruleset.

lan_if="em0"
wan1_if="em2"
wan2_if="em3"
set block-policy return
set skip on lo0
nat on $wan1_if from $lan_if:network to any -> ($wan1_if)
block in log
pass out log keep state
pass in log inet proto icmp all icmp-type echoreq keep state
pass in log quick on $lan_if

Looks simple enough, right? Why won't it work? All i want is to get a ping
from both of the firewalls WAN's from outside the network.

Any ideas?

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            y.y.y.129       UGS         0     4433    em2
10.0.0.0/24        link#1             UC          0        0    em0
10.0.0.1           00:0c:29:a9:e5:75  UHLW        1      338    em0   1177
10.0.0.2           00:0c:29:c0:74:57  UHLW        1     3291    em0   1041
10.0.0.10          00:19:db:b1:07:78  UHLW        1     4827    em0   1185
10.0.1.0/24        link#7             UC          0        0  vlan0
10.0.2.0/24        link#8             UC          0        0  vlan1
10.0.2.2           00:0c:29:e9:8c:d2  UHLW        1      251  vlan1   1190
10.0.3.0/24        link#9             UC          0        0  vlan2
10.0.3.2           00:50:56:9c:53:89  UHLW        1      420  vlan2   1152
10.0.4.0/24        link#10            UC          0        0  vlan3
10.0.5.0/24        link#11            UC          0        0  vlan4
127.0.0.1          127.0.0.1          UH          0        0    lo0
y.y.y.128/25    link#3             UC          0        0    em2
x.x.x.144/28 link#4             UC          0        0    em3
x.x.x.146    00:0c:29:b5:0e:bb  UHLW        1        6    lo0