Good morning folks,
I am a little bit stumped with my firewall config and need some
assistance. I have a Soekris net4501 with two interfaces connected. The
sis1 interface is connected to my macbook and the sis2 interface (vlan
trunk) is connected to my switch (see diagram below). I have a bridge
interface (bridge0) with with vlan100, sis1 and ral0 as members. I
assume this is the best way to have multiple physical interfaces in a vlan.
.-------.
| |
| macbook |
.------.+ sis0 .---------+ |_________|
| | / \_________\
| fw |+ sis1 +----*
| | 802.1q trunk .----------. vlan99 (inet)
!______!+ sis2 +----------------+ | switch | +-------------
| !__________!
+ral0 .--------. +
| | vlan100 /
| server | ------------*
| |
!________!
With no rules loaded in PF everything works just fine. From my Macbook I
am able to NAT outside the network and also access everything on
vlan100. When I load the rules into PF I am unable to access the
management IP on the switch or my server, both of which are in vlan100.
It's obviously an issue with pf and the bridge interface, I just can't
seem to figure it out (see config below).
I appreciate any advice on this.
Cheers,
-Chris
hostname.sis1
-------------
up
hostname.sis2
-------------
up
hostname.vlan99
---------------
dhcp NONE NONE NONE vlan 99 vlandev sis2
hostname.vlan100
----------------
inet 192.168.1.1 255.255.255.0 NONE vlan 100 vlandev sis2
bridgename.bridge0
------------------
add vlan100
add sis1
add ral0
up
pf.conf
-------
#################################################################
# Macros
ext_if="vlan99"
int_if="vlan100"
int_bridge="bridge0"
int_net="192.168.1.0/24"
icmp_types="echoreq"
#################################################################
# Options
set block-policy return
set loginterface $ext_if
set skip on lo
#################################################################
# Traffic Normalization
scrub in
#################################################################
# NAT Rules: "rdr", "nat", "binat"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \
-> 192.168.1.200 port 21
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 \
-> 192.168.1.200 port 22
rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
-> 192.168.1.200 port 80
#################################################################
# Filter Rules
block in
pass out
anchor "ftp-proxy/*"
antispoof quick for lo0
pass in log on $ext_if proto udp from any to ($ext_if:0) \
port {500, 4500}
pass out log on $ext_if proto udp from ($ext_if:0) to any \
port {500, 4500}
pass in log on $ext_if proto esp from any to ($ext_if:0)
pass out log on $ext_if proto esp from ($ext_if:0) to any
pass in log on enc0 proto ipencap from any to ($ext_if:0) \
keep state (if-bound)
pass out log on enc0 proto ipencap from ($ext_if:0) to any \
keep state (if-bound)
pass in on enc0 from 10.1.0.2/32 to any keep state (if-bound)
pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound)
pass in inet proto icmp all icmp-type $icmp_types
pass in log on $ext_if proto udp from any to port 1194
pass in log on $ext_if proto tcp to ($ext_if) port ssh
pass in log on $ext_if proto tcp from any to 192.168.1.200 \
port 21
pass in log on $ext_if proto tcp from any to 192.168.1.200 \
port 22
pass in log on $ext_if proto tcp from any to 192.168.1.200 \
port 80
pass in log on $ext_if proto tcp to ($ext_if) port smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp
pass quick on $int_if
