Hi all!
I have some misunderstanding with pf-firewall. The point is:
1)
(LAN1)->Gateway1(FreeBSD 7.2+pf)-----pptp------Gateway2(FreeBSD 6.3+ipfw+mpd4)<-(LAN2)
2)Client PC from LAN1 makes vpn-connection(pptp) to the external vpn-server (Gateway2). With current pf.conf this connection establishes successfully. But when I try to ping some host in vpn-net - no answers come back. Thus I have no access to the shares of LAN2.
3)My current pf.conf
4)"route print" on client PC (winXP)
X.X.X.X- external ip of vpn-server(gateway2)
Y.Y.Y.Y-external ip gateway1.
192.168.0.0/24 - network mask of LAN1 and LAN2.
10.18.0.0/8 - mask of vpn-network.
192.168.0.5 - client PC
Please - explain me where i'm wrong in this pf.conf.
I have some misunderstanding with pf-firewall. The point is:
1)
(LAN1)->Gateway1(FreeBSD 7.2+pf)-----pptp------Gateway2(FreeBSD 6.3+ipfw+mpd4)<-(LAN2)
2)Client PC from LAN1 makes vpn-connection(pptp) to the external vpn-server (Gateway2). With current pf.conf this connection establishes successfully. But when I try to ping some host in vpn-net - no answers come back. Thus I have no access to the shares of LAN2.
3)My current pf.conf
Code:
ext_if = "rl2"
int_if = "rl0"
lo = "lo0"
internal_net = "192.168.0.0/8"
esc_vpn = "10.18.0.0/8"
ext_ip = "Y.Y.Y.Y"
tcp_svc = "smtp www pop3"
udp_svc = "domain"
esc_ports = "ftp, ftp-data, ssh, 3389, 1723"
set block-policy drop
set skip on lo0
scrub in on ! $lo all fragment reassemble
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 1723 -> 192.168.0.5 port 1723
rdr on $ext_if proto icmp from any to any -> 192.168.0.5
rdr on $ext_if proto gre from any to any -> 192.168.0.5
pass quick log on { lo $int_if }
antispoof log quick for $ext_if
block log on $ext_if
block in log quick from any os NMAP
pass inet proto tcp from any to any
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass proto 47 all keep state
pass in quick on $ext_if proto tcp from any to any port {1723 3389} keep state
pass in quick on $ext_if proto udp from any to any port 53 keep state
pass out quick all keep state
pass out log on $ext_if proto {tcp gre udp} from $esc_vpn to $esc_vpn keep state
pass in log on $ext_if proto {tcp gre udp} from $esc_vpn to $esc_vpn keep state
pass out log on $ext_if proto tcp flags S/SA keep state
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass in log on $ext_if proto tcp from X.X.X.X to port {$esc_ports} keep state
pass in log on $ext_if proto gre from X.X.X.X keep state
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state
4)"route print" on client PC (winXP)
Code:
Network address Mask Gateway iface metric
0.0.0.0 0.0.0.0 10.18.0.5 10.18.0.5 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 21
10.18.0.5 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.18.0.5 10.18.0.5 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.5 192.168.0.5 20
192.168.0.5 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.5 192.168.0.5 20
X.X.X.X 255.255.255.255 192.168.0.1 192.168.0.5 20
224.0.0.0 240.0.0.0 192.168.0.5 192.168.0.5 20
224.0.0.0 240.0.0.0 10.18.0.5 10.18.0.5 1
255.255.255.255 255.255.255.255 10.18.0.5 10.18.0.5 1
255.255.255.255 255.255.255.255 192.168.0.5 192.168.0.5 1
default gateway: 10.18.0.5
===========================================================================
X.X.X.X- external ip of vpn-server(gateway2)
Y.Y.Y.Y-external ip gateway1.
192.168.0.0/24 - network mask of LAN1 and LAN2.
10.18.0.0/8 - mask of vpn-network.
192.168.0.5 - client PC
Please - explain me where i'm wrong in this pf.conf.