Not a pf magician, but think I found a typo below that could be the problem.
On Aug 19, 2018 6:51 PM, Jay Hart <jh...@kevla.org> wrote: > > Hello all, > > I finally got my "new" server online, still have to disable inteldrm to get > it to boot though. > > Ran into two issues upon initial bootup: > > 1. DHCPD failed to start, trying to troubleshoot that one. > > 2. I have a fully working pf.conf file on my current server, copied it over > to my new server and > made a few corrections since the interfaces are different, but thats about > it. The problem is > this: the new router boots up and dhclient goes and gets a lease, and I have > an ip address. I can > ping external to the box and also can do a wget and download a file, so I > know the box is online. > My internal network though, can't see a thing past the external interface, > can't ping, or resolve > anything. The resolv.conf files look ok (they match the old box files). My > thinking is that for > some reason, pf doesn't like my current config file. Both boxes are fully > patched 6.3 versions. > One is 32-bit, the other is 64-bit. > > On the new router, re0 is the external interface, re1 is internal interface. > Assuming with DHCPD > enabled, it would monitor the internal interface for dhcp requests from my > internal machines. If > the internal interface was having a problem initializing, would that prevent > dhcpd from starting > up. I'm wondering if both interfaces can be enabled at the same time. They > SHOULD be able to, but > with this motherboard, who knows... > > I'm posting my pf.conf file, other suggestions that could help me narrow the > scope of the problem > are appreciated. > > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ > # > # See pf.conf(5) and /etc/examples/pf.conf > > int_if = "re0" Should that be "re1" > www_ad = "192.168.1.99" > icmp_types="echoreq" > NoRouteIPs = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}" > > set block-policy return > set loginterface egress > set skip on lo > > #Protection > antispoof quick for { lo $int_if } Don't remember what antispoof does but if you do it on your egress if re0 it will probably do bad stuff. > block in quick on egress from $NoRouteIPs to any > block out quick on egress from any to $NoRouteIPs > > #filter rules and anchor for ftp-proxy > anchor "ftp-proxy/*" > > #rule needed to redirect ftp connection for ftp-proxy > pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 > > #match rules > match out on egress inet from !(egress) to any nat-to (egress:0) > > block in log > pass out quick > > #next rule passes http-https traffic to the web/email server > pass in on egress inet proto tcp from any to (egress) port {80 443} rdr-to > $www_ad synproxy state > > #traceroute rule (for IPv4) > pass out on egress inet proto udp to port 33433:33626 > > #next rule redirects smtp traffic to the email server > pass in on egress inet proto tcp from any to (egress) port 25 rdr-to $www_ad > > #pass in certain types of ICMP traffic > pass in inet proto icmp all icmp-type $icmp_types > >