From owner-freebsd-questions@FreeBSD.ORG Thu Jun 18 08:38:04 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9B801065672 for ; Thu, 18 Jun 2009 08:38:04 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 40EC78FC18 for ; Thu, 18 Jun 2009 08:38:04 +0000 (UTC) (envelope-from valentin.bud@gmail.com) Received: by bwz27 with SMTP id 27so101495bwz.43 for ; Thu, 18 Jun 2009 01:38:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=ZSnRBfcYGURJV1KXx9ekac5dimmof3ahxI3FX+Yrsek=; b=elwrNOdfNeuw2LF7+Ehke+kEVFt1rwqKZBg7XA/EiKIh7KKBRSWoQ3amhN52js/amQ XQvXfdRrTuVywtxRwQa8/6Nld8Mj2MjB44MG3PameP573lWuVr9J7Wei92Y4uTONokxc FEI5234djwHZP753E9IWs52nqQ8TPPmSlkKTI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=M1nv7glZKh/FOSa531zwGXERzf3JiDZ9wb1VHxuFxrKjmhvPYsM8PPflkxtJ3FksDo ZG6TgC19KcyZInsx4bWSUggYM0Ilbl/V2Y2pTMAfBwWeXOA92KptyyfXZRoUqFKrUpWU viYrdQ1a6L5SPJ/lFF3DZcHEBwvOm8JctEPEQ= MIME-Version: 1.0 Received: by 10.103.165.18 with SMTP id s18mr848100muo.104.1245314283118; Thu, 18 Jun 2009 01:38:03 -0700 (PDT) In-Reply-To: <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com> References: <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan> <139b44430906180135y6969322ai28c729ca815f6915@mail.gmail.com> From: Valentin Bud Date: Thu, 18 Jun 2009 11:37:43 +0300 Message-ID: <139b44430906180137w4daf8c3as6ce02423bc19db36@mail.gmail.com> To: Mike Sweetser - Adhost Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: PF Routing to VPN Device X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2009 08:38:05 -0000 On Thu, Jun 18, 2009 at 11:35 AM, Valentin Bud wrote: > > > On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost < > mikesw@adhost.com> wrote: > >> Hello, >> >> We have a network with a VPN device sitting beside a PF server, both >> connected to an internal network. >> >> PF Server: 10.1.4.1 >> VPN Device: 10.1.4.200 >> >> The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to >> these networks should be routed to 10.1.4.200. We've set up routes on >> the PF server as such. >> >> We've set up the following rules: >> >> block in log >> pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 >> 10.1.2.0/24) >> >> However, the block in log is catching the return traffic. From pflog >> when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on >> port 80: >> >> 000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 > >> 10.1.2.105.3558: [|tcp] >> >> If we remove the block in log, the traffic works. >> >> What are we missing? >> >> Thanks, >> Mike > > Hello Mike, What version on FBSD are you using? The keep state is implicit from 7.0 AFAIK. So if you are using a version prior 7.0 you should add keep state so the return traffic can be passed. v -- network warrior since 2005