[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

double PF setup.

I have a question that I thought best suited to this list.  If you think I should post it to misc instead let me know.

I am trying to setup the following.  (warning, ascii art follows:-)

               ( the net )
                    | (fxp0)
              | OBSD 3.2 |
          FW1 | PF / NAT |  
                    | (fxp1)
                    |                 -----------------
                    |-----------------| Suit-ware/IDS |
                    |                 -----------------
                    | (fxp0)
          RT1 ------------                       -------------------
              | OBSD 3.2 | (fxp5)      | Many hosts at   |
   -----------|    PF    |-----------------------| Regional offices|
   |  ------------         ATM           -------------------
   | (fxp2)     |      |
   |            |      | (fxp4)
   |            |      |                 --------------------------
   |            |      ------------------| Many web/email servers |
   |            |                        --------------------------
   |            | (fxp3)
-----------     |     ---------------------------
|   many  |     |-----| Many staff workstations |
|   data  |           ---------------------------
| servers |       
Hope this reads ok.  Basically we have one box running PF/NAT on the outside.  Network monitoring in the middle and then PF on a box in the middle doing routing and firewalling between private IP zones.

This is our new network layout.  We had been using public IPs on all machines and then using OBSD 2.9 with IPF as a transparent bridge.  I am in the process of changing to something like the above where I am using one box as the firewall then a second box as more of a router but someday I want to be able to use the power of PF to protect between my zones.  The reason for the two boxes is so the suit-ware/spy-ware/monitoring-crap, whatever you want to call it, can sit in the middle and get non-Natted IPs.  An IDS will also sit there.

My trouble is I can't seem to get from FW1 to RT1 and then on into my network.  I can ping just fine from, a data server, through RT1 to, a host in a regional office.  I feel like this must be in some ways a netmask issue but I feel like I need to have the open netmask ( on the interfaces between FW1 and RT1 for a packet to be received by RT1 with the intent of forwarding on to 10.5.x.x.   

Details from FW1
bash-2.05b# more hostname.fxp0
inet NONE

bash-2.05b# more pf.conf
nat on fxp0 from to any ->
pass out all
pass in all

bash-2.05b# ping
PING ( 56 data bytes
ping: sendto: Host is down

Details from RT1:
bash-2.05b# more hostname.fxp0
inet NONE

bash-2.05b# more hostname.fxp2
inet NONE
bash-2.05b# more pf.conf
pass out all
pass in all

If I try to do a ping from FW1 to I get this on RT1
tcpdump: listening on fxp0
23:18:32.296550 arp who-has tell
23:18:33.301923 arp who-has tell
23:18:34.311889 arp who-has tell
23:18:35.321875 arp who-has tell

If I do an: arp -s  00:08:02:b0:01:d2 on FW1 everything is cured.  ...but I have a thousand hosts so that is out of the question.  Is there any way to get RT1 to answer to arp requests for machines that are hanging off it's interfaces.

Should I just be running routed (zebra)?  Can I still use PF if I am using routed?

If I try to ping the outside world I see this in the tcpdump of fxp1 on FW1:
23:40:49.225667 arp who-has tell

We have tried setting a static IP route using the route command on FW1 and either we didn't have the route right or it didn't work.

I can't find much about the Dup-to command in PF.  Would this be a better answer to my suit-ware problem?

Any ideas what I am doing wrong?  Need more information?


Try AOL and get 1045 hours FREE for 45 days!

Get AOL Instant Messenger 5.1 for FREE! Download Now!

Visit your host, monkey.org