View Single Post
  #3   (View Single Post)  
Old 28th March 2010
Septic Septic is offline
New User
 
Join Date: Mar 2010
Posts: 9
Default

My apologies - my desired setup was to have a transparent Firewall, so all that would be needed was a straight bridged connection between the two adapters. I think I mis-read part of the documentation, but as it was working (~ish) I hadn't noticed!

Something along the lines of:
Code:
INTERNET -> [ Router ] -> (re0 - 1st NIC) [ Firewall ]
					| (Bridge)
			  [ Firewall ] (re1 - 2nd NIC) -> [ Switch ] -----> LAN Client	<--- Internet Access
									|-> LAN Client
I tried changing some of the settings as you had stated, but it didn't affect the dropouts - 20.8mb of a file & 9 minutes for IRC - viewing the # tcpdump -eni pflog0, nothing came up at all, even when I tried to trigger it.
Ctrl+C'ing out of it provided the stats (and yes, pf was enabled):
Code:
0 packets received by filter
0 packets dropped by kernel
As this particular bridge shouldn't have an IP address, I decided to rebuild the configuration from scratch (didn't reinstall).

Here is what I did:
Code:
# nano /etc/hostname.re0
up

# nano /etc/hostname.re1
up

# nano /etc/sysctl.conf
net.inet.ip.forwarding=1

# nano /etc/resolv.conf
nameserver 192.168.134.1
lookup file bind

# nano /etc/mygate
192.168.134.1

# nano /etc/bridgename.bridge0
add re0
add re1
up

# nano /etc/rc.conf
pf=YES

# pfctl -nf /etc/pf.conf

# reboot

# ifconfig
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> MTU 1500
        lladdr 00:26:5a:e3:53:cc
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:52:8d
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: bridge
After the routing tables updated, I've been able to connect up fine, and in the current 20 minutes it's been setup, I haven't had a dropout yet No idea what I'd set the first time round that caused it to go awry..

I've updated the pf.conf to handle some of the new changes now too (such as the onboard NIC just for SSH), and so far all is running smoothly.


I had originally setup the blacklist purely for hosts that flagged in my webservers apache log, hence only the inbound block - thanks for pointing out it needed updating!

Many thanks for all your help, I would've spent many more hours banging my head against the table in frustration otherwise

I have only one remaining question - when I try to browse to a site that has a blacklisted entry, the page will continue to be in a loading state until the TCP connection times out - will set block-policy return solve this by simply resetting it immediately?

Thanks again
Reply With Quote