Try the following pf.conf
Code:
# pf.conf
EXT="pppoe0"
INT="re1"
WLAN='rum0'
# used by J65nko only
EXT="fxp0"
INT="lo1"
WLAN='lo2'
# ------------------
TCP_PORTS = "www"
UDP_PORTS = 'domain'
set block-policy drop
set skip on lo0
# ---------- NAT/RDR section
nat on $EXT from $INT:network -> ($EXT)
nat on $EXT from $WLAN:network -> ($EXT)
# keep VISTA and XP happy
match on pppoe0 scrub (max-mss 1440)
# DEFAULT POLICY
block log (all)
# ---- OUTGOING TRAFFIC
# -- external interface
pass out quick on $EXT tagged OK
# -- internal interface
# --- INCOMING TRAFFIC
# - internal interface
pass in quick on $INT inet proto tcp from $INT:network to any port $TCP_PORTS tag OK
pass in quick on $INT inet proto udp from $INT:network to any port $UDP_PORTS tag OK
# -- internal wireless
pass in quick on $WLAN inet proto tcp from $WLAN:network to any port $TCP_PORTS tag OK
pass in quick on $WLAN inet proto udp from $WLAN:network to any port $UDP_PORTS tag OK
A test parse on my 1 NIC desktop box where I had to spoof two interfaces, else pf chokes on stuff like $WLAN:network
Code:
# pfctl -vvnf mayuka.pf
EXT = "pppoe0"
INT = "re1"
WLAN = "rum0"
EXT = "fxp0"
INT = "lo1"
WLAN = "lo2"
TCP_PORTS = "www"
UDP_PORTS = "domain"
set block-policy drop
set skip on { lo0 }
@0 nat on fxp0 inet from 10.0.0.0/24 to any -> (fxp0) round-robin
@1 nat on fxp0 inet from 10.2.2.0/24 to any -> (fxp0) round-robin
@0 match on pppoe0 all scrub (max-mss 1440)
@1 block drop log (all) all
@2 pass out quick on fxp0 all flags S/SA keep state tagged OK
@3 pass in quick on lo1 inet proto tcp from 10.0.0.0/24 to any port = www flags S/SA keep state tag OK
@4 pass in quick on lo1 inet proto udp from 10.0.0.0/24 to any port = domain keep state tag OK
@5 pass in quick on lo2 inet proto tcp from 10.2.2.0/24 to any port = www flags S/SA keep state tag OK
@6 pass in quick on lo2 inet proto udp from 10.2.2.0/24 to any port = domain keep state tag OK
With a default policy of
block log (all) all blocked packets can be seen with
tcpdump -eni pflog0. When no blocked packets are shown by this tcpdump, then in 99% of the cases you have a routing problem.
I hope that just like me you, you used a different subnet for both the internal NIC and WLAN. Even if I have to spoof interfaces I do this