Thread: problems with wifi access point
View Single Post
  #32   (View Single Post)  
Old 1st January 2010
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default
Try the following pf.conf
Code:
# pf.conf

EXT="pppoe0"
INT="re1"
WLAN='rum0'

# used by J65nko only
EXT="fxp0"
INT="lo1"
WLAN='lo2'
# ------------------

TCP_PORTS = "www"
UDP_PORTS = 'domain'

set block-policy drop
set skip on lo0

# ---------- NAT/RDR section
nat on $EXT from $INT:network  -> ($EXT)
nat on $EXT from $WLAN:network  -> ($EXT)

# keep VISTA and XP happy
match on pppoe0 scrub (max-mss 1440)

# DEFAULT POLICY
block log (all)

# ---- OUTGOING TRAFFIC

# -- external interface
pass out quick on $EXT tagged OK

# -- internal interface

# --- INCOMING TRAFFIC

# - internal interface
pass in quick on $INT inet proto tcp from $INT:network to any port $TCP_PORTS tag OK
pass in quick on $INT inet proto udp from $INT:network to any port $UDP_PORTS tag OK

# -- internal wireless
pass in quick on $WLAN inet proto tcp from $WLAN:network to any port $TCP_PORTS tag OK
pass in quick on $WLAN inet proto udp from $WLAN:network to any port $UDP_PORTS tag OK
A test parse on my 1 NIC desktop box where I had to spoof two interfaces, else pf chokes on stuff like $WLAN:network
Code:
# pfctl -vvnf mayuka.pf  
EXT = "pppoe0"
INT = "re1"
WLAN = "rum0"
EXT = "fxp0"
INT = "lo1"
WLAN = "lo2"
TCP_PORTS = "www"
UDP_PORTS = "domain"
set block-policy drop
set skip on { lo0 }
@0 nat on fxp0 inet from 10.0.0.0/24 to any -> (fxp0) round-robin
@1 nat on fxp0 inet from 10.2.2.0/24 to any -> (fxp0) round-robin
@0 match on pppoe0 all scrub (max-mss 1440)
@1 block drop log (all) all
@2 pass out quick on fxp0 all flags S/SA keep state tagged OK
@3 pass in quick on lo1 inet proto tcp from 10.0.0.0/24 to any port = www flags S/SA keep state tag OK
@4 pass in quick on lo1 inet proto udp from 10.0.0.0/24 to any port = domain keep state tag OK
@5 pass in quick on lo2 inet proto tcp from 10.2.2.0/24 to any port = www flags S/SA keep state tag OK
@6 pass in quick on lo2 inet proto udp from 10.2.2.0/24 to any port = domain keep state tag OK
With a default policy of block log (all) all blocked packets can be seen with tcpdump -eni pflog0. When no blocked packets are shown by this tcpdump, then in 99% of the cases you have a routing problem.

I hope that just like me you, you used a different subnet for both the internal NIC and WLAN. Even if I have to spoof interfaces I do this
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote