Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jun 2009 01:36:45 -0700
From:      "Mike Sweetser - Adhost" <mikesw@adhost.com>
To:        <freebsd-questions@freebsd.org>
Subject:   RE: PF Routing to VPN Device
Message-ID:  <17838240D9A5544AAA5FF95F8D5203160638ACB3@ad-exh01.adhost.lan>
In-Reply-To: <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com>
References:  <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan> <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

> -----Original Message-----
> From: Valentin Bud [mailto:valentin.bud@gmail.com]
> Sent: Thursday, June 18, 2009 1:36 AM
> To: Mike Sweetser - Adhost
> Cc: freebsd-questions@freebsd.org
> Subject: Re: PF Routing to VPN Device
> 
> 
> 
> On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
> <mikesw@adhost.com> wrote:
> 
> 
> 	Hello,
> 
> 	We have a network with a VPN device sitting beside a PF server,
> both
> 	connected to an internal network.
> 
> 	PF Server: 10.1.4.1
> 	VPN Device: 10.1.4.200
> 
> 	The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any
> traffic to
> 	these networks should be routed to 10.1.4.200.  We've set up
> routes on
> 	the PF server as such.
> 
> 	We've set up the following rules:
> 
> 	block in log
> 	pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to {
> 10.1.1.0/24
> 	10.1.2.0/24)
> 
> 	However, the block in log is catching the return traffic.  From
> pflog
> 	when somebody on the VPN (10.1.2.105) tries to connect to
> 10.1.4.25 on
> 	port 80:
> 
> 	000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 >
> 	10.1.2.105.3558: [|tcp]
> 
> 	If we remove the block in log, the traffic works.
> 
> 	What are we missing?
> 
> 	Thanks,
> 	Mike
> 
> 
> Hello Mike,
> 
>  What version on FBSD are you using? The keep state is implicit from
> 7.0 as
> far as i know. I might not be right so someone please correct.
> 
>  If that is the case you should add keep state to your rule and see
> what happens.

We're using FreeBSD 7.2.

Mike

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D5203160638ACB3>