Hello All,
I need a little help with pf.
I'm running FreeBSD 7.1 as a gateway, OpenVPN server, and Squid.
OpenVPN 2.1.1 is running on bridge mode. I can connect over VPN to the server, but my clients cannot reach the network machines behind the gateway or go out to the Internet. I'm sure the problem is with my vpn rules, but I cannot figure it out. Any help will be greatly appreciated.
Thanks in advance.
My pf.conf is below:
I need a little help with pf.
I'm running FreeBSD 7.1 as a gateway, OpenVPN server, and Squid.
OpenVPN 2.1.1 is running on bridge mode. I can connect over VPN to the server, but my clients cannot reach the network machines behind the gateway or go out to the Internet. I'm sure the problem is with my vpn rules, but I cannot figure it out. Any help will be greatly appreciated.
Thanks in advance.
My pf.conf is below:
Code:
int_if = "rl1"
ext_if = "rl0"
vpn_if = "tap0"
vpn_net = "$vpn_if:192.168.75.200/27"
tcp_services = "{ 22 }"
udp_services = "{ 1194 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set block-policy drop #drop silently
set loginterface $ext_if #log stats on ext_if
set skip on lo0 #skip all pf processing on lo0
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $vpn_if
syntax error--->pass in on $int_if from $vpn_net to any keep state
syntax error--->pass out on $int_if from $vpn_net to any keep state
syntax error--->pass in on $ext_if from $vpn_net to any keep state
syntax error--->pass out on $ext_if from $vpn_net to any keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state