On Mon, Jan 21, 2008 at 12:38:36AM +1100, Sunnz wrote: > 2008/1/21, Sunnz <[EMAIL PROTECTED]>: > > route-to > > 2) > > pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any > > > > 3) > > pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any > > pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any > > > > 4) > > pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any > > pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any > > pass in on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from any to pppoe0:0 > > pass in on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from any to pppoe1:0 > > > > 2) 3) and 4) works with traceroute and ping from the outside, but not ssh. > > Oh, what was I thinking!! it should be like > > pass out on pppoe1 route-to (pppoe0 (pppoe0:peer)) inet from pppoe0:0 to any This probably fails because of stateful filtering: the connection is "to pppoe0:0" but the replies are "from pppoe0:0", and the rule will not match them when it is stateful. Try adding "no state" to your rules (which is not recommended) or using reply-to.
-- Jussi Peltola
