Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Jul 2009 01:22:06 +0100
From:      Peter Maxwell <peter@allicient.co.uk>
To:        freebsd-pf@freebsd.org, apetar@gmail.com
Subject:   Re: pf between two lans
Message-ID:  <7731938b0907131722v460e5429ve4906ff822b2719@mail.gmail.com>
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316065A8437@ad-exh01.adhost.lan>
References:  <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> <20090712155707.4925813c@overlord> <17838240D9A5544AAA5FF95F8D520316065A8437@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Aleksic,

On a cursory glance, your pf.conf looks ok.  The tcpdump you supplied
is showing both incoming and outgoing packets being blocked which is
wierd - why would there be a return packet if the initial SYN didn't
get through?

Can you post the output of: pfctl -s r

What happens if you try things without pf loaded, and with pf loaded
but a pass all ruleset?

Have you got gateway_enable set in your rc.conf (I think it shows as
net.inet.ip.forwarding being set to 1 in your sysctl)?

Can you post the results of the same tcpdump with a larger window size
( -s 1024 ) and/or a tcpdump on the network interface itself?

There's probably a simple explanation I'm not seeing, but those are
the kind of things I'd try/check.

Peter







2009/7/13 Michael K. Smith - Adhost <mksmith@adhost.com>:
> Hello Aleksic:
>>
>> no nat on $extIF inet proto {tcp, udp} from $intIF:network to
>> $intIF2:network
>> no nat on $extIF inet proto {tcp, udp} from $intIF2:network to
>> $intIF:network
>>
> If nothing else, these rules won't match because the traffic isn't
> traversing the External Interface.
>
> no nat on $intIF2 inet proto {tcp, udp} from $intIF:network to
> $intIF2:network
> no nat on $intIF inet proto {tcp, udp} from $infIF2:network to
> $intIF:network
>
> Regards,
>
> Mike
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0907131722v460e5429ve4906ff822b2719>