[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3.0 current, pf and browsing
Hi Daniel,
I'll try to make this a little clearer. The firewall box is
not doing NAT on the packets that are going to the corporate network, they
arrive at the OpenBSD box on the internal NIC and are sent back out on the
internal network to the Nortel II400 box. The firewall in this case is
just used to re-direct the packets to the II400 and across the VPN to the
Contivity in the USA. Something is happening to the packets that are going
into and being sent back out of this interface. I'll try and draw the
configuration for you. I'm using 3.0-release.
----
|
| Internal LAN
|
| |---------------------|
| |10.36.1.252 | To Internet
|-------| Firewall 3.0 Current|-----------------------------|
| |--------------------- 193.129.220.6 |
| |
| | Router
| DMZ |---->
| | to
| |----------------------| | Internet
| | 10.36.1.254 | 193.129.220.30 |
|-------| II400 |----------------------------|
| |----------------------|
The static routes on the firewall box send the packets to the II400
and hence over the VPN to the corporate site in the states. All works
fine except you can't browse directories on the Windows boxes in the
corporate network. The firewall does NAT for all packets destined for
the Internet, the II400 does NAT for the machines connecting via the
VPN to the corporate network. The Windows clients on the LAN have one
default gateway that points to the firewal machine. If these are destined
for the corporate LAN in the US they are sent to the II400, otherwise they
are passed through the firewall box to the DMZ and the router and avoid
the VPN box altogether. I hope this explains a little better what
is going on. If not please email me for any other infomation that you
require.
Best regards John.
John Gould - Systems Engineer
Power Innovations Limited
Tel: +44 1234 223002 email: johng@powinv.co.uk
On Fri, 22 Feb 2002, Daniel Hartmeier wrote:
> On Fri, Feb 22, 2002 at 02:26:14PM +0000, John Gould wrote:
>
> > If I turn off the packet filter with 'pfctl -d' then browsing works and I can
> > see the contents of these directories, but of course machines using the
> > route through the firewall and NAT don't get through. Has anyone seen this
> > before? What is happening to the packets that are being re-directed? This
> > machine is to replace a 2.9 box with ipf which worked fine in exactly this
> > configuration. Any help would be most appreciated.
>
> Can you explain where in your setup the firewall is? Does it filter the
> plain TCP packets, or the encapsulated IPsec packets? If you're doing
> NAT on encapsulated packets, are you using 3.0-release or -current? NAT
> support for non-TCP/UDP/ICMP protocols was added post 3.0-release.
> If you're filtering the packets before encapsulation, make sure all
> packets of a connection pass through the firewall. If some packet have
> an alternat route (not sure about your description there), they will of
> course not be properly translated.
>
> Daniel