Date: Mon, 3 Jul 2006 18:42:26 -0400 From: Mark Moellering <mark@msen.com> To: freebsd-questions@freebsd.org Subject: 3 NIC firewall help Message-ID: <200607031842.27083.mark@msen.com>
next in thread | raw e-mail | index | archive | help
--Boundary-00=_T1ZqE66ZrHZo+jX Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello All, I have a problem which I think must be simple, I just can't figure out exactly what I need to do. I have a gateway / firewall (freebsd 6.1) with 3 nic cards. I just added the third card, rl1, which I have attached to a wireless access point. I can ping the access point from the firewall, but not from the rest of the internal (wired) network!!?? My wired network is 192.168.1 and the wireless access point is currently the default 192.168.0.229. rl1 is set to 192.168.0.210 Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway. Any and all help is appreciated. Thanks in advance Mark Moellering --Boundary-00=_T1ZqE66ZrHZo+jX Content-Type: text/plain; charset="us-ascii"; name="firewall_rc.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="firewall_rc.conf" # -- sysinstall generated deltas -- # Thu May 11 16:26:43 2006 # Created: Thu May 11 16:26:43 2006 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. gateway_enable="YES" linux_enable="YES" moused_enable="YES" usbd_enable="YES" #Internal Wired Network ifconfig_bge0="inet 192.168.1.1 netmask 255.255.255.0" hostname="Myhostname" #Wireless Network ifconfig_rl1="inet 192.168.0.210 netmask 255.255.255.0" #External Gateway Interface ifconfig_rl0="DHCP" inetd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="var/log/pflog" --Boundary-00=_T1ZqE66ZrHZo+jX Content-Type: text/plain; charset="us-ascii"; name="firewall_script" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="firewall_script" # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $ # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $ # # Firewall for Home or Small Office # http://www.openbsd.org/faq/pf/example1.html # # macros int_if = "bge0" ext_if = "rl0" wint_if = "rl1" tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $wint_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # filter rules block all #pass in all pass quick on lo0 all block drop in on $ext_if from $priv_nets to any block drop out on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state #allow access to web server #pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \ flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass in on $wint_if from $wint_if:network to any keep state pass out on $wint_if from any to $wint_if:network keep state pass in on $wint_if from $int_if:network to any keep state pass in on $int_if from $wint_if:network to any keep state pass out on $wint_if from any to $int_if:network keep state pass out on $int_if from any to $wint_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass in on $ext_if inet proto tcp from any to ($ext_if) \ user proxy keep state --Boundary-00=_T1ZqE66ZrHZo+jX Content-Type: text/plain; charset="us-ascii"; name="netstat_output" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="netstat_output" Script started on Mon Jul 3 18:49:59 2006 > netstat -r=0D=0D Routing tables=0D =0D Internet:=0D Destination Gateway Flags Refs Use Netif Expire= =0D default c-68-61-202-129.hs UGS 0 40 rl0=0D 68.61.202.128/25 link#2 UC 0 0 rl0=0D c-68-61-202-129.hs 00:05:5f:e9:8c:a9 UHLW 2 0 rl0 1199= =0D localhost localhost UH 0 0 lo0=0D 192.168.0 link#3 UC 0 0 rl1=0D 192.168.0.229 00:0f:b5:7a:14:82 UHLW 1 10 rl1 1089= =0D 192.168.1 link#1 UC 0 0 bge0=0D 192.168.1.2 00:09:5b:20:aa:23 UHLW 1 30 bge0 1107= =0D =0D Internet6:=0D Destination Gateway Flags Netif Expire=0D localhost.psyberat localhost.psyberat UH lo0=0D fe80::%bge0 link#1 UC bge0=0D fe80::240:f4ff:fe4 00:40:f4:47:23:54 UHL lo0=0D fe80::%rl0 link#2 UC rl0=0D fe80::2e0:7dff:fec 00:e0:7d:c1:74:44 UHL lo0=0D fe80::%rl1 link#3 UC rl1=0D fe80::2e0:7dff:fea 00:e0:7d:a8:78:8e UHL lo0=0D fe80::%lo0 fe80::1%lo0 U lo0=0D fe80::1%lo0 link#6 UHL lo0=0D ff01:1:: link#1 UC bge0=0D ff01:2:: link#2 UC rl0=0D ff01:3:: link#3 UC rl1=0D ff01:6:: localhost.psyberat UC lo0=0D ff02::%bge0 link#1 UC bge0=0D ff02::%rl0 link#2 UC rl0=0D ff02::%rl1 link#3 UC rl1=0D ff02::%lo0 localhost.psyberat UC lo0=0D > exit=0D=0D exit=0D Script done on Mon Jul 3 18:50:07 2006 --Boundary-00=_T1ZqE66ZrHZo+jX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607031842.27083.mark>