Router (as device that forwards data packets) and PF rules.

[breath]

Greetings, I have one question. Let say, that I have TP-LINK router. Computer with FreeBSD is connected to the router with cable (RJ45). There is also laptop which is using WiFi to connect to the internet. Normally (I mean connection without router) I'm using DHCP to get my IP address from my ISP. When I'm using router, I have three IP address. One visible on the network (IP from ISP) and two set in the router, e.g 192.168.1.10 for computer with FreeBSD and 192.168.1.11 for laptop. But that's obvious.

So, when I'm writing the PF rules, which (IP) should I use/filtering? That from my ISP or that, which is setting in router? Or I should use the address which is assigned to the network interface? Or always use address from my ISP (visible on the Internet)? No matter, if I'm using a router or not?

I noticed, that when I'm using router to internet connection, PF is blocking less packets when I check pfctl(8) utility. Otherwise, when I'm connected to the internet without using a router (with an assigned IP address from my ISP) it is different. PF is blocking much more packets. It is normal behaviour?

On the router there is firewall enabled with some options, like SYN Flood protection. Maybe router firewall filters now all network traffic?

 

[brd@]

You should use the IP assigned to the local interface. You can also use the shorthand of wrapping the interface name in parentheses. i.e. I do this with an interface of em0:

ext_if = em0
pass in  on $ext_if proto icmp from any to ($ext_if)

To make it easier and not have to statically list the main IP of the machine.

 

[breath]

If I understand correctly, by applying e.g. ext_if macros, and applying the rule of the filter, which You wrote, filtered will be addresses, exactly assigned to the ext_if macros. That is, if the router will be in use - 192.168.1.10 and if not - address from my ISP, right?