B4nsh33 schrieb:
Hi people, im having some problems implementing a firewall/router for my
company. the firewall has two interfaces, one to local lan and one to
the isp's router (static ip). We have local and remote offices,
interconnected by a wan link (cisco routers). the local office is
configured in the 192.168.10.x network, default gateway 192.168.10.100
(firewall's internal ip), remote office is configured in 192.168.20.x
network, default gateway 192.168.20.1 (remote router's internal ip).
local firewall will be providing internet access to both networks.this
is working flawlessly, my problem is the routing between local and
remote office, i want the firewall route between both networks and
internet.ie.
do you want to exchange the cisco routers with your firewall or am i
missing something? in your picture, the firewall can only route to the
internet and has nothing to do with the routing between the two offices,
as it is only connected to the local office. your cisco router in the
local office needs to have the firewall as default gateway to route the
packets from the remote office to the internet and the cisco in the
remote office needs the "R1" as default gateway.
INTERNET
^
|
+----+
| PF |
+----+
.100 |
|
|
LOCAL OFFICE | REMOTE OFFICE
192.168.10.x | +--+ +--+ 192.168.20.x
--------------------|R1|---|R2|--------------
| | .1 +--+ ^ +--+ .1 |
.2 | .3 | | .6 |
+---+ +---+ | +---+
|ws1| |ws2| | |ws3|
+---+ +---+ SERIAL +---+
LINK
tipical ws1 ip configuration:
IP Address. . . . . . . . . . . . : 192.168.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.100
tipical ws3 ip configuration
IP Address. . . . . . . . . . . . : 192.168.20.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
netstat -rn on the firewall
Internet:
Destination Gateway Flags Interface
default 200.13.161.65 UGS fxp0
127/8 127.0.0.1 UGRS lo0
127.0.0.1 127.0.0.1 UH lo0
192.168.10/24 link#2 UC fxp1
192.168.20/24 192.168.10.1 UGS fxp1
this is my pf.conf
###########
## pf.conf
###########
# interfaces
if_net = "fxp0" # internet
if_loc = "fxp1" # red local
# groups
table <loc_nets> { 192.168.10.0/24, 192.168.20.0/24 }
# Options
set block-policy drop
scrub in all
# NAT
nat pass on $if_net from <loc_nets> to any -> $ip_pub
# Packet Filtering
# default policy
block log all label "DEFAULT BLOCK:"
# trusted interfaces
pass in quick on lo0 all
pass out quick on lo0 all
## FILTER RULES
pass in quick on $if_loc from <loc_nets> to any flags S/SA keep state
If ping from ws1 to ws2 i get Request timed out, trying to solve the
problem i addedd this line to pf.conf:
pass out quick on $if_loc from <loc_nets> to <loc_nets> keep state
why should internal packages pass your firewall? if both ws are in the
same subnet they should not need a firewall or router to communicate
with each other.
Is this lines really necesary or am i missing something, may be in
sysctl.conf?
sorry for the endlessly email, but i wanted to make clear,
thanks
marc