From owner-freebsd-questions@FreeBSD.ORG Wed Jun 17 19:46:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BC8C1065672 for ; Wed, 17 Jun 2009 19:46:48 +0000 (UTC) (envelope-from mikesw@adhost.com) Received: from mail-defer02.adhost.com (mail-defer02.adhost.com [216.211.128.177]) by mx1.freebsd.org (Postfix) with ESMTP id 1F19F8FC1A for ; Wed, 17 Jun 2009 19:46:47 +0000 (UTC) (envelope-from mikesw@adhost.com) Received: from mail-in01.adhost.com (mail-in01.adhost.com [10.212.3.11]) by mail-defer02.adhost.com (Postfix) with ESMTP id E1E8C1388F98 for ; Wed, 17 Jun 2009 12:31:44 -0700 (PDT) (envelope-from mikesw@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in01.adhost.com (Postfix) with ESMTP id 40FBD2D752C for ; Wed, 17 Jun 2009 12:31:44 -0700 (PDT) (envelope-from mikesw@adhost.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 17 Jun 2009 12:31:43 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF Routing to VPN Device Thread-Index: Acnvgj64PBkNqvvDQY6DnAAELbXC0w== From: "Mike Sweetser - Adhost" To: Subject: PF Routing to VPN Device X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2009 19:46:48 -0000 Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. =20 PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules:=20 block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 > 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike