PF Routing to VPN Device

Tim Judd tajudd at
Thu Jun 18 18:38:26 UTC 2009

On 6/17/09, Mike Sweetser - Adhost <mikesw at> wrote:
> Hello,
> We have a network with a VPN device sitting beside a PF server, both
> connected to an internal network.
> PF Server:
> VPN Device:
> The VPNs are set up for and, so any traffic to
> these networks should be routed to  We've set up routes on
> the PF server as such.
> We've set up the following rules:
> block in log
> pass in on $int_if route-to from to {
> However, the block in log is catching the return traffic.  From pflog
> when somebody on the VPN ( tries to connect to on
> port 80:
> 000000 rule 28/0(match): block in on bge1: >
> [|tcp]
> If we remove the block in log, the traffic works.
> What are we missing?
> Thanks,
> Mike


I know the typical firewall rules that are googleable are one of two
basic starting policies..

-- 1.
  block in all
  pass out all

-- 2.
  block all

They've become a headache to me to configure a firewall and I now
start with this base.  In this example, fxp0 is facing the Internet,
and xl0 is facing the trusted network.

-- 3.
  block in on fxp0 all
  pass out

This adds the benefit that VPN connections, TUNs, GIFs, and all other
ethernet devices aren't blindly evaluated to a simple block in rule,
rather it's just the fxp0 interface public Internet traffic that is
being blocked, while TUNs, GIFs, and the like are exempt from that
rule entry line.

Might you try by editing your rules to just block your public IP
firewall interface?

Good luck.

More information about the freebsd-questions mailing list