# pf and routing question



## giulianoz (Jun 19, 2009)

Hello,
 I'm trying to replace our current firewall (clavister) with freebsd/pf. I'm almost done but I have some rules I don't know how to convert. I've tried googling around but I've found nothing useful (maybe I'm looking for the wrong terms).

I have the following scenario:

```
LAN (192.168.1.0/24) connected to fxp0 (192.168.1.1)
DMZ1 (10.0.1.0/24) connected to dc0 (10.0.1.1)
DMZ2 (10.0.2.0/24) connected to dc1 (10.0.2.1)
DMZ3 (10.0.3.0/24) connected to dc2 (10.0.3.1)
DMZ4 (10.0.4.0/24) connected to dc3 (10.0.4.1)
```
The internet is accessible through another router on the LAN (192.168.1.254). The same router provides connections to a remote office using a VPN tunnel. On the remote site there are other 4 DMZ with the same network setup of DMZ1-4.
The PCs on the LAN have their default gateway set to the 192.168.1.254 router so when they try to reach any 10.0.x.x IP address they connect to the remote site. This is correct because the production servers are in the remote site and only a few people use the local DMZs that are for development/testing.
To actually reach the local DMZs Iâ€™ve configured the clavister firewall to route all the requests for network 10.10.1.0/24 to local 10.0.1.0/24 (and the same with the other 3 DMZs) and setup some static routes on the default gateway.

Can I do the same with pf without having one rdr rule for every DMZâ€™s host ?
Do I have to setup an alias on the LAN connected interface for every IP on the networks 10.10.1-4.0/24 ?
Is there a better way to have a similar setup ?
Maybe I can modify the destination IP during the routing process (ie: 10.10.1.10 -> 10.0.1.10, 10.10.2.53 -> 10.0.2.53, and so on) ?

Thanks for your help

giuliano


----------



## SirDice (Jun 19, 2009)

You will make life a whole lot easier for yourself if you use diffent IP ranges for the local servers.


----------



## giulianoz (Jun 19, 2009)

hello,
 yes, I know that  but the local network must be the exact replica of the production envionment (this was decided by the previous manager...). In addition it would be a pain to reconfigure all the servers and the development/test clients...

giuliano


----------



## SirDice (Jun 19, 2009)

I've had similar discussions before on one of my previous jobs.

Having a different IP address doesn't change anything. You should use fully qualified hostnames in applications anyway, not hardcoded IP addresses. That way it'll be easy to switch from production to test, simply by adding a few hosts entries. Using hardcoded IP addresses is really, really bad form. Just try and imagine what kind of cr*p you run into when your company decides to renumber (because of some merger with another company). 

I had warned them about this, would they listen? Of course not.. Guess who got to clean up the crap when they did merge and we had to renumber....


----------



## giulianoz (Jun 19, 2009)

SirDice said:
			
		

> I've had similar discussions before on one of my previous jobs.
> 
> Having a different IP address doesn't change anything. You should use fully qualified hostnames in applications anyway, not hardcoded IP addresses. That way it'll be easy to switch from production to test, simply by adding a few hosts entries. Using hardcoded IP addresses is really, really bad form. Just try and imagine what kind of cr*p you run into when your company decides to renumber (because of some merger with another company).



I totally agree


----------



## SirDice (Jun 19, 2009)

Oh yeah.. And I forgot.. Next thing they'll want is to copy data from the production servers to the test servers. 
Try and solve that riddle when both have the same IP addresses x(


----------



## Trojan (Aug 1, 2009)

Guys please help to clarify the following issue: I have two subnets 192.168.1.0/25 and 192.168.1.128/25 and there is a FreeBSD with PF running between subnets. The scheme is below:

Subnet1 192.168.1.0/25 .1|------FreeBSD------|.129 192.168.1.128/25 Subnet2 

Packet forwarding is already enabled on FreeBSD and now I need to create the approriate and as much as possible restrictive rules. 

When I create the rules:


```
pass in all
pass out all
```

the connections between subnets works but it also allows incoming and outgoing traffic from anywhere to anywhere, not only to and from Subnet 1 and Subnet 2.

When I create the rules:


```
pass in on $lan1_if from $lan1_net to $lan2_net
 pass out on $lan1_if from $lan2_net to $lan1_net
 pass in on $lan2_if from $lan2_net to $lan1_net
 pass out on $lan2_if from $lan1_net to $lan2_net
```
The connections between subnets becomes lost.

What's wrong with my rules and what rules should I create to allow connection between subnets?


----------



## DutchDaemon (Aug 1, 2009)

Try:


```
pass quick on { $lan1_if $lan2_if} from { $lan1_net $lan2_net } to { $lan1_net $lan2_net } keep state
```


----------



## Trojan (Aug 1, 2009)

DutchDaemon said:
			
		

> Try:
> 
> 
> ```
> ...


No any luck. 


```
pfctl: Syntax error in config file: pf rules not loaded
```

Maybe because the direction statement (in/out) is missed?


----------



## DutchDaemon (Aug 1, 2009)

No direction statement is needed. E.g. 'pass all' = 'pass in all' + 'pass out all'. That statement in my previous post works fine on my system (adjusted for my own networks and network interfaces).


----------



## Trojan (Aug 2, 2009)

DutchDaemon, sorry. I just made a little mistake in rule (wrote # instead of $). Now it's OK.

But unfortunately your rule didn't help me. The traffic between subnets still not forwarded. Here is the full list of rules:


```
lan1_if="em0"   #replace with actual external interface name i.e. dc0
lan2_if="em1"   #replace with actual internal interface name i.e. dc1
lan1_net="192.168.1.0/25"
lan2_net="192.168.128/25"

block in all
block out all

pass quick on { $lan1_if $lan2_if } from { $lan1_net $lan2_net } \
to { $lan1_net $lan2_net } keep state
pass in on $lan1_if from $lan1_net to 192.168.1.1
pass out on $lan1_if from 192.168.1.1 to $lan1_net
pass in on $lan2_if from $lan2_net to 192.168.1.129
pass out on $lan2_if from 192.168.1.29 to $lan2_net
```


----------



## DutchDaemon (Aug 2, 2009)

Add 'set skip on lo0'.


----------

