Re: PF and routing

[Bruce Bauer <brbauer_(_at_)_users_(_dot_)_easynews_(_dot_)_com>]

sorry for the top post, but it makes more sense in this case.

change  the  netmask  for all internal interfaces to 255.255.0.0
and they will all be on the same subnet - no routing needed.
Then  make the default route on all workstations and the ciscos
point to the internal interface on the firewall.

_________________________
Unix has the bottom 95% of what you'd want in an OS.
Windows  has  the top 30% (it's kinda pretty to the new, but if
you
dig a bit, you find that's it's all on top of nothing).

--- B4nsh33 <mmiranda_(_at_)_123_(_dot_)_com_(_dot_)_sv> wrote:
From: B4nsh33 <mmiranda_(_at_)_123_(_dot_)_com_(_dot_)_sv>
Date: Thu, 25 Aug 2005 17:02:54 -0600
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: PF and routing
Hi   people,   im   having   some   problems   implementing   a
firewall/router for my
company.  the firewall has two interfaces, one to local lan and
one to
the isp's router (static ip). We have local and remote offices,
interconnected  by a wan link (cisco routers). the local office
is
configured   in   the  192.168.10.x  network,  default  gateway
192.168.10.100
(firewall's  internal  ip),  remote  office  is  configured  in
192.168.20.x
network, default gateway 192.168.20.1 (remote router's internal
ip).
local  firewall  will  be  providing  internet  access  to both
networks.this
is  working flawlessly, my problem is the routing between local
and
remote  office, i want the firewall route between both networks
and
internet.ie.
INTERNET
^
|
+----+
| PF |
+----+
.100 |
|
|
LOCAL OFFICE | REMOTE OFFICE
192.168.10.x | +--+ +--+ 192.168.20.x
--------------------|R1|---|R2|--------------
| | .1 +--+ ^ +--+ .1 |
.2 | .3 | | .6 |
+---+ +---+ | +---+
|ws1| |ws2| | |ws3|
+---+ +---+ SERIAL +---+
LINK
tipical ws1 ip configuration:
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.100
tipical ws3 ip configuration
IP Address. . . . . . . . . . . . : 192.168.20.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
netstat -rn on the firewall
Internet:
Destination Gateway Flags Interface
default 200.13.161.65 UGS fxp0
127/8 127.0.0.1 UGRS lo0
127.0.0.1 127.0.0.1 UH lo0
192.168.10/24 link#2 UC fxp1
192.168.20/24 192.168.10.1 UGS fxp1
this is my pf.conf
###########
## pf.conf
###########
# interfaces
if_net = "fxp0" # internet
if_loc = "fxp1" # red local
# groups
table <loc_nets> { 192.168.10.0/24, 192.168.20.0/24 }
# Options
set block-policy drop
scrub in all
# NAT
nat pass on $if_net from <loc_nets> to any -> $ip_pub
# Packet Filtering
# default policy
block log all label "DEFAULT BLOCK:"
# trusted interfaces
pass in quick on lo0 all
pass out quick on lo0 all
## FILTER RULES
pass in quick on $if_loc from <loc_nets> to any flags S/SA keep
state
If  ping  from  ws1  to  ws2 i get Request timed out, trying to
solve the
problem i addedd this line to pf.conf:
pass  out  quick  on $if_loc from <loc_nets> to <loc_nets> keep
state
Is this lines really necesary or am i missing something, may be
in
sysctl.conf?
sorry for the endlessly email, but i wanted to make clear,
thanks