Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Jul 2006 18:42:26 -0400
From:      Mark Moellering <mark@msen.com>
To:        freebsd-questions@freebsd.org
Subject:   3 NIC firewall help
Message-ID:  <200607031842.27083.mark@msen.com>
index | next in thread | raw e-mail 

[-- Attachment #1 --]
Hello All,

	I have a problem which I think must be simple, I just can't figure out 
exactly what I need to do.  I have a gateway / firewall (freebsd 6.1) with 3 
nic cards.  I just added the third card, rl1, which I have attached to a 
wireless access point.  
	I can ping the access point from the firewall, but not from the rest of the 
internal (wired) network!!??  My wired network is 192.168.1 and the wireless 
access point is currently the default 192.168.0.229.  rl1 is set to 
192.168.0.210
	Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway.  
Any and all help is appreciated.

Thanks in advance

Mark Moellering

[-- Attachment #2 --]

# -- sysinstall generated deltas -- # Thu May 11 16:26:43 2006
# Created: Thu May 11 16:26:43 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
linux_enable="YES"
moused_enable="YES"
usbd_enable="YES"

#Internal Wired Network
ifconfig_bge0="inet 192.168.1.1  netmask 255.255.255.0"
hostname="Myhostname"

#Wireless Network
ifconfig_rl1="inet 192.168.0.210 netmask 255.255.255.0"

#External Gateway Interface
ifconfig_rl0="DHCP"
inetd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="var/log/pflog"


[-- Attachment #3 --]
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
int_if = "bge0"
ext_if = "rl0"
wint_if = "rl1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

        
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wint_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021


# filter rules
block all

#pass in all

pass quick on lo0 all

block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

#allow access to web server
#pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \
   flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass in on $wint_if from $wint_if:network to any keep state
pass out on $wint_if from any to $wint_if:network keep state

pass in on $wint_if from $int_if:network to any keep state
pass in on $int_if from $wint_if:network to any keep state

pass out on $wint_if from any to $int_if:network keep state
pass out on $int_if from any to $wint_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy keep state

[-- Attachment #4 --]
Script started on Mon Jul  3 18:49:59 2006
> netstat -r


Routing tables



Internet:

Destination        Gateway            Flags    Refs      Use  Netif Expire

default            c-68-61-202-129.hs UGS         0       40    rl0

68.61.202.128/25   link#2             UC          0        0    rl0

c-68-61-202-129.hs 00:05:5f:e9:8c:a9  UHLW        2        0    rl0   1199

localhost          localhost          UH          0        0    lo0

192.168.0          link#3             UC          0        0    rl1

192.168.0.229      00:0f:b5:7a:14:82  UHLW        1       10    rl1   1089

192.168.1          link#1             UC          0        0   bge0

192.168.1.2        00:09:5b:20:aa:23  UHLW        1       30   bge0   1107



Internet6:

Destination        Gateway            Flags      Netif Expire

localhost.psyberat localhost.psyberat UH          lo0

fe80::%bge0        link#1             UC         bge0

fe80::240:f4ff:fe4 00:40:f4:47:23:54  UHL         lo0

fe80::%rl0         link#2             UC          rl0

fe80::2e0:7dff:fec 00:e0:7d:c1:74:44  UHL         lo0

fe80::%rl1         link#3             UC          rl1

fe80::2e0:7dff:fea 00:e0:7d:a8:78:8e  UHL         lo0

fe80::%lo0         fe80::1%lo0        U           lo0

fe80::1%lo0        link#6             UHL         lo0

ff01:1::           link#1             UC         bge0

ff01:2::           link#2             UC          rl0

ff01:3::           link#3             UC          rl1

ff01:6::           localhost.psyberat UC          lo0

ff02::%bge0        link#1             UC         bge0

ff02::%rl0         link#2             UC          rl0

ff02::%rl1         link#3             UC          rl1

ff02::%lo0         localhost.psyberat UC          lo0

> exit


exit


Script done on Mon Jul  3 18:50:07 2006
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607031842.27083.mark>