Been staring at this too long, maybe another pair of eyes can help out. Bascially trying to bring up another internet connection, 3rd one, and want to provide some internet accessible services via the non primary connection. All connections are handed off to me as straight ethernet with static IP's, no pppoe or the like. Things work fine off the primary conneciton, the second one I just use for web surfing traffic (nothing coming in from it), and this 3rd one will replace the primary after a while.
$Greg_ip is a host on the internet I use for testing from outside. isp3EXTwebserver_ip = "internetip/32" DMZwebserver = "dmzip/32" nat on $isp3_if from $DMZwebserver to any -> $isp3EXTwebserver_ip nat on $isp1_if from $DMZwebserver to any -> $EXTwebserver rdr on $isp3_if proto tcp from $greg_ip to $isp3EXTwebserver_ip port https -> $DMZwebserver port https pass in quick on $isp3inet_if reply-to ($isp3_if $isp3_gw) proto tcp from $greg_ip to $DMZwebserver port https keep state #pass out quick on $dmz_if from any to any #pass in quick on $dmz_if from any to any pass out quick on $dmz_if from any to $DMZwebserver keep state pass in quick on $dmz_if from any to any keep state pass out quick on $isp3inet_if from any to $greg_ip Using tcpdump Request comes in Via isp3 interface Passed out the DMZ interface to the server Server replies on DMZ interface, and that's it never makes it back out any other interface. I then see on the DMZ interface a icmp host unreachable sent to the web server. Block-policy is set to drop. What else can I do to see why it is sending the icmp host unreachable and the reply not making it back to the internet? I moved the rules to the top and put quicks on them so they are the first rules evaluated. Running OpenBSD 4.5 stable, all patched up. I also put a route-to for surfing and my machine behind it can surf the internet send pings out other traffic through the isp3 interface just fine. Thanks, Greg
