# confusing problem with PF + NAT + filter_rule



## Mohsen_Moradgholi (Aug 27, 2012)

hello my dear,
after very study of  PF firewall ,i decided run it in simple wireless network:

                           _____________
                          /            /       
[WiFi_client]-----wlan0--/   PF+NAT   /--re0-----[PublicNet]
                        /____________/

and this is pf.conf:

```
ext_if="re0"
int_if="wlan0"
client="192.168.1.200"

altq on wlan0 cbq bandwidth 2Mb queue { std, client_queue }
	queue std    priority 3 bandwidth 1024Kb cbq(default)
	queue client_queue    priority 7 bandwidth 256Kb cbq(borrow)

# nat rules for local network
nat on $ext_if from $int_if:network to any -> ($ext_if)

# filter rules for $int_if inbound
block in on $int_if all
pass  in on $int_if from $int_if:network

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to $int_if:network
pass  out on wlan0 from any to $client queue client_queue
```

but PF can't send $client traffic to client_queue...!
my confusing problem with PF is that below configuration can send $client traffic to client_queue:

```
ext_if="re0"
int_if="wlan0"
client="192.168.1.200"

altq on wlan0 cbq bandwidth 2Mb queue { std, client_queue }
	queue std    priority 3 bandwidth 1024Kb cbq(default)
	queue client_queue    priority 7 bandwidth 256Kb cbq(borrow)

# nat rules for local network
nat on $ext_if from $int_if:network to any -> ($ext_if)

# filter rules for $int_if inbound
block in on $int_if all
pass  in on $int_if from $int_if:network
pass  in on $int_if from $client to any queue client_queue

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to $int_if:network
#pass  out on wlan0 from any to $client queue client_queue
```

best regards , please guide me...


----------



## fbsd1 (Aug 29, 2012)

most important question does pf work without altq?


----------



## plamaiziere (Aug 29, 2012)

Mohsen_Moradgholi said:
			
		

> hello my dear,
> after very study of  PF firewall ,i decided run it in simple wireless network:
> and this is pf.conf:
> 
> ...



This is because PF is a stateful firewall, you have to think in terms of "connections":

When your $client starts a "connection", a state is created to allow the reply to return to $client. States are checked before rules, if a state matches, then the rules are not evaluated. This means that the rule "pass out on wlan0 from any to $client queue client_queue" is never evaluated if $client initiates the connection and is useless. It will be useful if you want to allow someone to connect to $client.

Regards.


----------



## Mohsen_Moradgholi (Aug 31, 2012)

hello plamaiziere,
thank you,i understand it and i use "no state" at that rule.its works...
best regards...


----------

