3 NIC firewall help

Mark Moellering mark at msen.com
Mon Jul 3 22:43:12 UTC 2006


Hello All,

	I have a problem which I think must be simple, I just can't figure out 
exactly what I need to do.  I have a gateway / firewall (freebsd 6.1) with 3 
nic cards.  I just added the third card, rl1, which I have attached to a 
wireless access point.  
	I can ping the access point from the firewall, but not from the rest of the 
internal (wired) network!!??  My wired network is 192.168.1 and the wireless 
access point is currently the default 192.168.0.229.  rl1 is set to 
192.168.0.210
	Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway.  
Any and all help is appreciated.

Thanks in advance

Mark Moellering
-------------- next part --------------

# -- sysinstall generated deltas -- # Thu May 11 16:26:43 2006
# Created: Thu May 11 16:26:43 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
linux_enable="YES"
moused_enable="YES"
usbd_enable="YES"

#Internal Wired Network
ifconfig_bge0="inet 192.168.1.1  netmask 255.255.255.0"
hostname="Myhostname"

#Wireless Network
ifconfig_rl1="inet 192.168.0.210 netmask 255.255.255.0"

#External Gateway Interface
ifconfig_rl0="DHCP"
inetd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="var/log/pflog"

-------------- next part --------------
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $

#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#


# macros
int_if = "bge0"
ext_if = "rl0"
wint_if = "rl1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

        
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wint_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021


# filter rules
block all

#pass in all

pass quick on lo0 all

block drop in on $ext_if from $priv_nets to any
block drop out on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

#allow access to web server
#pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \
   flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass in on $wint_if from $wint_if:network to any keep state
pass out on $wint_if from any to $wint_if:network keep state

pass in on $wint_if from $int_if:network to any keep state
pass in on $int_if from $wint_if:network to any keep state

pass out on $wint_if from any to $int_if:network keep state
pass out on $int_if from any to $wint_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   user proxy keep state
-------------- next part --------------
Script started on Mon Jul  3 18:49:59 2006
> netstat -r

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            c-68-61-202-129.hs UGS         0       40    rl0
68.61.202.128/25   link#2             UC          0        0    rl0
c-68-61-202-129.hs 00:05:5f:e9:8c:a9  UHLW        2        0    rl0   1199
localhost          localhost          UH          0        0    lo0
192.168.0          link#3             UC          0        0    rl1
192.168.0.229      00:0f:b5:7a:14:82  UHLW        1       10    rl1   1089
192.168.1          link#1             UC          0        0   bge0
192.168.1.2        00:09:5b:20:aa:23  UHLW        1       30   bge0   1107

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost.psyberat localhost.psyberat UH          lo0
fe80::%bge0        link#1             UC         bge0
fe80::240:f4ff:fe4 00:40:f4:47:23:54  UHL         lo0
fe80::%rl0         link#2             UC          rl0
fe80::2e0:7dff:fec 00:e0:7d:c1:74:44  UHL         lo0
fe80::%rl1         link#3             UC          rl1
fe80::2e0:7dff:fea 00:e0:7d:a8:78:8e  UHL         lo0
fe80::%lo0         fe80::1%lo0        U           lo0
fe80::1%lo0        link#6             UHL         lo0
ff01:1::           link#1             UC         bge0
ff01:2::           link#2             UC          rl0
ff01:3::           link#3             UC          rl1
ff01:6::           localhost.psyberat UC          lo0
ff02::%bge0        link#1             UC         bge0
ff02::%rl0         link#2             UC          rl0
ff02::%rl1         link#3             UC          rl1
ff02::%lo0         localhost.psyberat UC          lo0
> exit

exit

Script done on Mon Jul  3 18:50:07 2006


More information about the freebsd-questions mailing list