If you've disabled pf and it doesn't, then yes, possibly.

If the network is configured like this:

192.168.1.0/24]----192.168.1.1(em0)[Router]10.1.0.1(em1)----[10.1.0.0/21

Setting the default routes to the required interface on each side
should allow packets to flow freely from end to end.  There should be
no need for PF trickery unless you wish to restrict access to certain
machines on either side.

Your best test is a traceroute.  Perform a traceroute from one side to
the other, and see what the last step is before you get a string of
timeouts.

All said, I see rules in your PF that allow certain ICMP types, but
haven't included the echo response - that's probably why you can't
ping across the router.

On Wed, May 18, 2011 at 3:29 PM, David Schulz
<mailingli...@ironwhale.com> wrote:
> Basically i am just trying to verify whether i actually do need the match
out
> statements in pf.conf in order for both Sides on each Network Cards to talk
to
> each other. Say i do not, and it should all just work, does the fact that
it
> does not work suggest that i most likely have a routing issue?
>
> best regards,
> D
>
> On May 17, 2011, at 9:29 PM, David Gwynne wrote:
>
>> hey david,
>>
>> pf is run twice on packets going through a box, once before the network
> stack
>> and again as it leaves it. this means you have to allow a packet in one
> side
>> as well as when it goes out the other.
>>
>> dlg
>>
>> On 17/05/2011, at 10:16 PM, David Schulz wrote:
>>
>>> Hi all,
>>>
>>> i have a LAN within a LAN and the setup is as follows:
>>>
>>> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21
>>>
>>> My goal is to get both Sides talking to each other (lets start with
making
>>> them be able to ping each other). I got it working by using the following
>>> pf.conf, however i thought i should not need to have those match out
>>> statements, because OpenBSD routes packets between interfaces by default
> as
>>> long sysctl net.inet.ip.forwarding=1 is set.
>>>
>>> From inside my OpenBSD Box i can ping Devices on either Side just fine.
> From
>> a
>>> machine sitting on either Side, i can ping the OpenBSD Box just fine. But
> i
>>> simply cannot get Side A Machines to talk to Side B Machines unless i
>>> uncomment the two below match out statements inside my pf.conf.
>>>
>>> If someone could share some insight, id be most thankful.
>>>
>>> regards,
>>> D
>>>
>>> Here my simplified pf.conf which again does not work unless i uncomment
> the
>>> two match out Rules:
>>> ++++++++ pf.conf
>>> int_if="sis0"
>>> ext_if="sis1"
>>>
>>> icmp_types = "{ echoreq, unreach }"
>>>
>>> set require-order yes
>>> set block-policy return
>>> set optimization normal
>>> set loginterface $ext_if
>>>
>>> match in all scrub (no-df)
>>>
>>> set skip on lo
>>>
>>> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
>>> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)
>>>
>>> block log all
>>>
>>> #Simplified for 'making it work purposes'
>>> pass out quick
>>> pass in quick
>>>
>>> antispoof quick for { lo0 $int_if $ext_if } inet
>>>
>>> # allow ICMP
>>> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
>> $icmp_types
>>> keep state
>>> ++++++++
>>>
>>> ++++++++ route -n
>>> cndlne001'root(~)> route -n show | grep default
>>> default            10.1.3.1           UGS        0    23106     -     8
>> sis0
>>>
>>> cndlne001'root(~)> route -n show | grep 192.168.1
>>> 192.168.1/24       link#2             UC         2        0     -     4
>> sis1
>
>



--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Reply via email to