I'm in the process of evaluating whether to transition from a DSL line
over to a cable modem, and until February I'll have both hooked up to
my OpenBSD 3.8 box, which acts as a mail/web/NAT server.
I've got the new cable modem hooked up, it has an IP, and I can ping
its gateway...but using that connection to talk to the rest of the
world is not yet functional. Basically, if I ping the cable modem's IP,
attempt to SSH to it, etc. from the outside world, the packets come
into that interface...and then attempt to go out the interface hooked
to my DSL modem. Since I'm not sure if this is a route table issue or a
PF issue, I'll give my full config here:
The return traffic is following your default route which points out your
DSL line ($ext_if). The ruleset is evaluated but your "pass out on
$ext_if" rule specifies flags S/SA so the packet doesn't match.
Read pf.conf(5) and look for the reply-to option. Also the pf faq would
probably help you too (http://www.openbsd.org/faq/pf/pools.html).
I had already read both of those, without much success. However, your
comment prompted me to go poke around a bit more, especially with the
reply-to option (I had missed that earlier), and I now can SSH in via
the cable modem interface (no word yet on whether I can NAT out of it,
I'll figure that out when I'm at a machine that would use that NAT).
FYI for anyone reading this now or in an archived version, the only
line I really needed was:
pass in log on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp
from any to ($ext_if2) \
port $tcp_ok flags S/SA keep state
I'll reply with info on NAT once I get that operational, again for the
benefit of anyone else who might be in my situation now or in the
future. :-)
Alex Kirk
