On Fri, December 9, 2016 2:24 pm, é*·è*´å¼º wrote: > Hi, I donâ**t really think ip forwarding is broken either as I can still > access the Internet. > > # ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 > index 6 priority 0 llprio 3 > groups: lo > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > inet 127.0.0.1 netmask 0xff000000 > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 1a:cc:00:12:b1:9c > index 1 priority 0 llprio 3 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.244.1 netmask 0xffffff00 broadcast 192.168.244.255 > em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 1a:cc:00:12:b1:9d > index 2 priority 0 llprio 3 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 1a:cc:00:12:b1:9e > index 3 priority 0 llprio 3 > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > status: active > inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 1a:cc:00:12:b1:9f > index 4 priority 0 llprio 3 > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > status: active > inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 > enc0: flags=0<> > index 5 priority 0 llprio 3 > groups: enc > status: active > pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492 > index 7 priority 0 llprio 3 > dev: em0 state: session > sid: 0x69cc PADI retries: 15 PADR retries: 0 time: 4d 13:55:21 > sppp: phase network authproto pap authname "lan1201210025" > groups: pppoe egress > status: active > inet 27.9.22.243 --> 27.9.20.1 netmask 0xffffffff > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 > index 8 priority 0 llprio 3 > groups: pflog > > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ > # > # See pf.conf(5) and /etc/examples/pf.conf > > set skip on lo > > block return # block stateless traffic > pass # establish keep-state > > # By default, do not permit remote connections to X11 > block return in on ! lo0 proto tcp to port 6000:6010 > > pass out on egress from !(egress:network) to any nat-to (egress) >
You're probably matching on the nat-to rule even when going from LAN to LAN. It reads like this: Pass out on your internet interface from not the internet to anywhere (the internet or even the LAN) and NAT it out the internet interface. You can't get to your LAN from the internet interface. You need to exclude the LAN networks from 'any' or add additional rules to match when going LAN to LAN.
