PF Routing to VPN Device

Valentin Bud valentin.bud at
Thu Jun 18 08:36:13 UTC 2009

On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
<mikesw at>wrote:

> Hello,
> We have a network with a VPN device sitting beside a PF server, both
> connected to an internal network.
> PF Server:
> VPN Device:
> The VPNs are set up for and, so any traffic to
> these networks should be routed to  We've set up routes on
> the PF server as such.
> We've set up the following rules:
> block in log
> pass in on $int_if route-to from to {
> However, the block in log is catching the return traffic.  From pflog
> when somebody on the VPN ( tries to connect to on
> port 80:
> 000000 rule 28/0(match): block in on bge1: >
> [|tcp]
> If we remove the block in log, the traffic works.
> What are we missing?
> Thanks,
> Mike

Hello Mike,

 What version on FBSD are you using? The keep state is implicit from 7.0 as
far as i know. I might not be right so someone please correct.

 If that is the case you should add keep state to your rule and see what

my 7c,
network warrior since 2005

More information about the freebsd-questions mailing list