# pfctl -e
pf enabled
# ping www.terra.com.br
PING www.terra.com.br (200.176.3.142): 56 data bytes
ping: sendto: No route to host
ping: wrote www.terra.com.br 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote www.terra.com.br 64 chars, ret=-1
--- www.terra.com.br ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
# cat /etc/pf.conf
# interface externa WAN
ext_if="xl1"
# interface interna LAN
int_if="xl0"
# interface MPLS
mpls_if ="bge0"
#Default GW
gw="200.162.41.33"
############
# Variaveis
##########
#################
#1 - Redirecionamento ambiente de homologocao
###############
ws_ip = "{ 10.10.100.21 }"
ws_ports = "{ 8101, 8102, 8103 }"
####################################
#2- Variaveis uteis
################################
lan = "{ 10.10.0.0/16 }"
rede_mpls = "{ 10.100.0.0/26 }"
ip_admin = "{ 10.10.0.135 }"
portas_saida_tcp = " {25, 80, 110 }"
portas_saida_udp = " { 53 }"
portas_entrada_tcp = " { 22} "
#######
set skip on lo
scrub in
# redirecionamento para lan, foi necessario fazer nat tb.
rdr pass on xl1 inet proto tcp from any to xl1 port $ws_ports -> $ws_ip
nat on $int_if from any to $ws_ip -> $int_if
#################
##### NAT ######
#################
#nat para dar acesso a internet para a lan
#nat on bge0 from $lan to $rede_mpls -> 10.100.1.1 # MPLS
nat on $ext_if from $lan to !($ext_if) -> $ext_if
# bloqueia a entrada de tudo e saida de tudo
block in all
block out all
#regras de entrada
# libera entrada de tudo na interface interna
pass in quick on $int_if proto udp from $lan to $int_if port 53
pass in quick on $int_if from $lan to any keep state
# libera a entrada na interface externa
pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state
pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports
keep state
# regras de saida
pass out on $int_if
pass out on $mpls_if
pass out on lo
pass out on $ext_if from any to $gw
pass out on $ext_if proto tcp from $lan to any port $portas_saida_tcp
pass out on $ext_if from $ip_admin to any
Question 1 ) What I am doing wrong, cause when I turn pf on I am not
able to connect the internet.
# pfctl -d
pf disabled
# ping www.terra.com.br
PING www.terra.com.br (200.176.3.142): 56 data bytes
64 bytes from 200.176.3.142: icmp_seq=0 ttl=250 time=33.663 ms
64 bytes from 200.176.3.142: icmp_seq=1 ttl=250 time=33.943 ms
--- www.terra.com.br ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 33.663/33.803/33.943/0.140 ms
Question 2) How do I set correct route to mpls network to my clients (
10.10.0.0/24 ) ?
# ping 10.100.1.1
PING 10.100.1.1 (10.100.1.1): 56 data bytes
64 bytes from 10.100.1.1: icmp_seq=0 ttl=255 time=2.980 ms
64 bytes from 10.100.1.1: icmp_seq=1 ttl=255 time=1.570 ms
--- 10.100.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.570/2.275/2.980/0.705 ms
#
Thanks
