View Single Post
  #2   (View Single Post)  
Old 16th January 2012
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,505

Last year in OpenBSD port of OpenVPN revisited I posted a solution for an OpenVPN issue but that was using tun0 as non-tap device IIRC.

If you run tcpdump on tun0 with the '-e' flag turned on you should be able to see the MAC or lladdress That could help in debugging.

And I wonder why you need the route-to in
pass in log quick on dmzif route-to tun0 inet proto icmp from \
to any icmp-type echoreq tag VPN_TRAFFIC
If the default route of the boxes in the DMZ points to the address of the DMZ interface, this should be enough. I did some DMZ setups in my network lab, and never had to use 'route-to'. When my DMZ setups did not work, it always was because of forgetting to add this default route
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote