PF Routing to VPN Device
Valentin Bud
valentin.bud at gmail.com
Thu Jun 18 08:38:05 UTC 2009
On Thu, Jun 18, 2009 at 11:35 AM, Valentin Bud <valentin.bud at gmail.com>wrote:
>
>
> On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost <
> mikesw at adhost.com> wrote:
>
>> Hello,
>>
>> We have a network with a VPN device sitting beside a PF server, both
>> connected to an internal network.
>>
>> PF Server: 10.1.4.1
>> VPN Device: 10.1.4.200
>>
>> The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
>> these networks should be routed to 10.1.4.200. We've set up routes on
>> the PF server as such.
>>
>> We've set up the following rules:
>>
>> block in log
>> pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
>> 10.1.2.0/24)
>>
>> However, the block in log is catching the return traffic. From pflog
>> when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
>> port 80:
>>
>> 000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 >
>> 10.1.2.105.3558: [|tcp]
>>
>> If we remove the block in log, the traffic works.
>>
>> What are we missing?
>>
>> Thanks,
>> Mike
>
> Hello Mike,
What version on FBSD are you using? The keep state is implicit from 7.0
AFAIK.
So if you are using a version prior 7.0 you should add keep state so the
return traffic
can be passed.
v
--
network warrior since 2005
More information about the freebsd-questions
mailing list