From owner-freebsd-questions@FreeBSD.ORG Thu Jun 18 08:36:46 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83AF61065676 for ; Thu, 18 Jun 2009 08:36:46 +0000 (UTC) (envelope-from mikesw@adhost.com) Received: from mail-in07.adhost.com (mail-in07.adhost.com [216.211.128.137]) by mx1.freebsd.org (Postfix) with ESMTP id 68A528FC29 for ; Thu, 18 Jun 2009 08:36:46 +0000 (UTC) (envelope-from mikesw@adhost.com) Received: from ad-exh01.adhost.lan (exchange.adhost.com [216.211.143.69]) by mail-in07.adhost.com (Postfix) with ESMTP id 142F08ADDA7 for ; Thu, 18 Jun 2009 01:36:46 -0700 (PDT) (envelope-from mikesw@adhost.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Jun 2009 01:36:45 -0700 Message-ID: <17838240D9A5544AAA5FF95F8D5203160638ACB3@ad-exh01.adhost.lan> In-Reply-To: <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF Routing to VPN Device Thread-Index: Acnv79jD2/vzSY5cQv6JO06KyAY8zAAAAdGw References: <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan> <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com> From: "Mike Sweetser - Adhost" To: Subject: RE: PF Routing to VPN Device X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2009 08:36:47 -0000 > -----Original Message----- > From: Valentin Bud [mailto:valentin.bud@gmail.com] > Sent: Thursday, June 18, 2009 1:36 AM > To: Mike Sweetser - Adhost > Cc: freebsd-questions@freebsd.org > Subject: Re: PF Routing to VPN Device >=20 >=20 >=20 > On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost > wrote: >=20 >=20 > Hello, >=20 > We have a network with a VPN device sitting beside a PF server, > both > connected to an internal network. >=20 > PF Server: 10.1.4.1 > VPN Device: 10.1.4.200 >=20 > The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any > traffic to > these networks should be routed to 10.1.4.200. We've set up > routes on > the PF server as such. >=20 > We've set up the following rules: >=20 > block in log > pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { > 10.1.1.0/24 > 10.1.2.0/24) >=20 > However, the block in log is catching the return traffic. From > pflog > when somebody on the VPN (10.1.2.105) tries to connect to > 10.1.4.25 on > port 80: >=20 > 000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 > > 10.1.2.105.3558: [|tcp] >=20 > If we remove the block in log, the traffic works. >=20 > What are we missing? >=20 > Thanks, > Mike >=20 >=20 > Hello Mike, >=20 > What version on FBSD are you using? The keep state is implicit from > 7.0 as > far as i know. I might not be right so someone please correct. >=20 > If that is the case you should add keep state to your rule and see > what happens. We're using FreeBSD 7.2. Mike