sorry for the top post, but it makes more sense in this case. change the netmask for all internal interfaces to 255.255.0.0 and they will all be on the same subnet - no routing needed. Then make the default route on all workstations and the ciscos point to the internal interface on the firewall.
_________________________ Unix has the bottom 95% of what you'd want in an OS. Windows has the top 30% (it's kinda pretty to the new, but if you dig a bit, you find that's it's all on top of nothing). --- B4nsh33 <[EMAIL PROTECTED]> wrote: From: B4nsh33 <[EMAIL PROTECTED]> Date: Thu, 25 Aug 2005 17:02:54 -0600 To: misc@openbsd.org Subject: PF and routing Hi people, im having some problems implementing a firewall/router for my company. the firewall has two interfaces, one to local lan and one to the isp's router (static ip). We have local and remote offices, interconnected by a wan link (cisco routers). the local office is configured in the 192.168.10.x network, default gateway 192.168.10.100 (firewall's internal ip), remote office is configured in 192.168.20.x network, default gateway 192.168.20.1 (remote router's internal ip). local firewall will be providing internet access to both networks.this is working flawlessly, my problem is the routing between local and remote office, i want the firewall route between both networks and internet.ie. INTERNET ^ | +----+ | PF | +----+ .100 | | | LOCAL OFFICE | REMOTE OFFICE 192.168.10.x | +--+ +--+ 192.168.20.x --------------------|R1|---|R2|-------------- | | .1 +--+ ^ +--+ .1 | .2 | .3 | | .6 | +---+ +---+ | +---+ |ws1| |ws2| | |ws3| +---+ +---+ SERIAL +---+ LINK tipical ws1 ip configuration: IP Address. . . . . . . . . . . . : 192.168.10.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.100 tipical ws3 ip configuration IP Address. . . . . . . . . . . . : 192.168.20.6 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.20.1 netstat -rn on the firewall Internet: Destination Gateway Flags Interface default 200.13.161.65 UGS fxp0 127/8 127.0.0.1 UGRS lo0 127.0.0.1 127.0.0.1 UH lo0 192.168.10/24 link#2 UC fxp1 192.168.20/24 192.168.10.1 UGS fxp1 this is my pf.conf ########### ## pf.conf ########### # interfaces if_net = "fxp0" # internet if_loc = "fxp1" # red local # groups table <loc_nets> { 192.168.10.0/24, 192.168.20.0/24 } # Options set block-policy drop scrub in all # NAT nat pass on $if_net from <loc_nets> to any -> $ip_pub # Packet Filtering # default policy block log all label "DEFAULT BLOCK:" # trusted interfaces pass in quick on lo0 all pass out quick on lo0 all ## FILTER RULES pass in quick on $if_loc from <loc_nets> to any flags S/SA keep state If ping from ws1 to ws2 i get Request timed out, trying to solve the problem i addedd this line to pf.conf: pass out quick on $if_loc from <loc_nets> to <loc_nets> keep state Is this lines really necesary or am i missing something, may be in sysctl.conf? sorry for the endlessly email, but i wanted to make clear, thanks