Рерутинг между двумя OPT интерфейсами
-
у меня 2 ЛАН интерфейса
но между ними не ходит траф - хоть убей
в фаерволе разрешил на обеих сетевушках**Proto Source Port Destination Port Gateway
- LAN11 net * LAN net * *
- LAN net * LAN11 net * ***
но траф не ходит
пробовал прописівать рутинг встатиках - не помогаетпоясните лоху :)
-
uP
-
Схема сети IP адресация ?
-
WAN realip/30
LAN net 192.168.1/24
LAN11 net 192.168.11/24 -
Из консоли
netstat -rn
pfctl -sr
И для обоих интерфейсов в момент "непрохождения" трафика
tcpdump -i <inerface name="">-n</inerface> -
$ netstat -rn
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 217.x.y.g UGS 0 8974 rl0
74.125.91.104 192.168.0.1 UGHS 0 22832 rl1
77.109.0.161 217.x.y.z UGHS 0 22828 rl0
127.0.0.1 127.0.0.1 UH 0 7131 lo0
192.168.0.0/24 link#2 UC 0 0 rl1
192.168.0.1 00:21:91:59:dc:2f UHLW 2 4845 rl1 1180
192.168.1.0/24 link#4 UC 0 0 re0
192.168.1.2 02:ff:2b:c7:0e:f2 UHLW 1 1 re0 1197
192.168.1.4 00:11:5b:66:47:6e UHLW 1 488 lo0
192.168.1.30 00:1e:8c:bf:8a:ad UHLW 1 8 re0 1181
192.168.1.105 02:ff:ea:ce:ae:2b UHLW 1 5 re0 675
192.168.11.0/24 link#3 UC 0 0 rl2
217.x.y.f/28 link#1 UC 0 0 rl0
217.x.y.g 00:12:80:2c:94:1b UHLW 3 4845 rl0 1200
217.x.y.z 00:0e:2e:f0:b8:f6 UHLW 1 488 lo0========================================
pfctl -sr
scrub all random-id fragment reassemble
block drop in all label "SHAPER: first match rule" tag unshaped
pass in on rl0 inet from any to 192.168.1.0/24 flags S/SA tos 0x10 keep state tag qVOIPUp tagged unshaped
pass out on re0 inet from any to 192.168.1.0/24 flags S/SA tos 0x10 keep state tag qVOIPDown tagged qVOIPUp
pass in on re0 inet from 192.168.1.0/24 to any flags S/SA tos 0x10 keep state tag qVOIPDown tagged unshaped
pass out on rl0 all flags S/SA tos 0x10 keep state tag qVOIPUp tagged qVOIPDown
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 5223 flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 5223 flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = jabber-server flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = jabber-server flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = jabber-server flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = jabber-server flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = jabber-client flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = jabber-client flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 3306 flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = 3306 flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 3306 flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 3306 flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = domain flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = domain flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = jabber-client flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = jabber-client flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = domain keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto udp from any to any port = domain keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = aol flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = aol flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = aol flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = aol flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = aol keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto udp from any to any port = aol keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = aol keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = aol keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = nntp flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = nntp flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = domain keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = domain keep state tag qOthersDownH tagged qOthersUpH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = domain flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = domain flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 5223 flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = 5223 flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 3389 flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = 3389 flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = cvsup flags S/SA keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto tcp from any to any port = cvsup flags S/SA keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = cvsup flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = cvsup flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 3389 flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 3389 flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = nntp flags S/SA keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = nntp flags S/SA keep state tag qOthersDownH tagged qOthersUpH
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = nntp keep state tag qOthersUpH tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = nntp keep state tag qOthersDownH tagged qOthersUpH
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = nntp keep state tag qOthersDownH tagged unshaped
pass out on rl0 proto udp from any to any port = nntp keep state tag qOthersUpH tagged qOthersDownH
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = 5900 keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = 5900 keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = 3283 keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = 3283 keep state tag qwandef tagged qlandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = 3283 keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = 3283 keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = 5900 keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = 5900 keep state tag qwandef tagged qlandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 5900 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = 5900 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = snmp keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = snmp keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = snmp keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = snmp keep state tag qwandef tagged qlandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 5900:5930 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port 5900:5930 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 5900:5930 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 5900:5930 flags S/SA keep state tag qlandef tagged qwandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 3283 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 3283 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 3283 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = 3283 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 5900 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 5900 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = lotusnote flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = lotusnote flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = snmp flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = snmp flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = 5632 keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = 5632 keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 5631 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 5631 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 5631 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = 5631 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = lotusnote keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = lotusnote keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = lotusnote keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = lotusnote keep state tag qwandef tagged qlandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = 5632 keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = 5632 keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 14534 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = 14534 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 51234 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 51234 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port 8767:8768 keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port 8767:8768 keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = lotusnote flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = lotusnote flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = 51234 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = 51234 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = 14534 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = 14534 flags S/SA keep state tag qlandef tagged qwandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port 8767:8768 keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port 8767:8768 keep state tag qlandef tagged qwandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = imap flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = imap flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto ah from 192.168.1.0/24 to any keep state tag qlandef tagged unshaped
pass out on rl0 proto ah all keep state tag qwandef tagged qlandef
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port = isakmp keep state tag qwandef tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port = isakmp keep state tag qlandef tagged qwandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port = isakmp keep state tag qlandef tagged unshaped
pass out on rl0 proto udp from any to any port = isakmp keep state tag qwandef tagged qlandef
pass in on rl0 inet proto ah from any to 192.168.1.0/24 keep state tag qwandef tagged unshaped
pass out on re0 inet proto ah from any to 192.168.1.0/24 keep state tag qlandef tagged qwandef
pass in on re0 inet proto esp from 192.168.1.0/24 to any keep state tag qlandef tagged unshaped
pass out on rl0 proto esp all keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 8000:8100 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 8000:8100 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 8000:8100 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port 8000:8100 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto esp from any to 192.168.1.0/24 keep state tag qwandef tagged unshaped
pass out on re0 inet proto esp from any to 192.168.1.0/24 keep state tag qlandef tagged qwandef
pass in on rl0 inet proto gre from any to 192.168.1.0/24 keep state tag qwandef tagged unshaped
pass out on re0 inet proto gre from any to 192.168.1.0/24 keep state tag qlandef tagged qwandef
pass in on re0 inet proto gre from 192.168.1.0/24 to any keep state tag qlandef tagged unshaped
pass out on rl0 proto gre all keep state tag qwandef tagged qlandef
pass in on re0 inet proto udp from 192.168.1.0/24 to any port 6881:6999 keep state tag qP2PDown tagged unshaped
pass out on rl0 proto udp from any to any port 6881:6999 keep state tag qP2PUp tagged qP2PDown
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 6881:6999 flags S/SA keep state tag qP2PUp tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 6881:6999 flags S/SA keep state tag qP2PDown tagged qP2PUp
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 6881:6999 flags S/SA keep state tag qP2PDown tagged unshaped
pass out on rl0 proto tcp from any to any port 6881:6999 flags S/SA keep state tag qP2PUp tagged qP2PDown
pass in on rl0 inet proto udp from any to 192.168.1.0/24 port 6881:6999 keep state tag qP2PUp tagged unshaped
pass out on re0 inet proto udp from any to 192.168.1.0/24 port 6881:6999 keep state tag qP2PDown tagged qP2PUp
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 4661:4665 flags S/SA keep state tag qP2PDown tagged unshaped
pass out on rl0 proto tcp from any to any port 4661:4665 flags S/SA keep state tag qP2PUp tagged qP2PDown
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = pptp flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = pptp flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = pptp flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = pptp flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 4661:4665 flags S/SA keep state tag qP2PUp tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 4661:4665 flags S/SA keep state tag qP2PDown tagged qP2PUp
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 6667:6670 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port 6667:6670 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 6667:6670 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 6667:6670 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = microsoft-ds flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = microsoft-ds flags S/SA keep state tag qwandef tagged qlandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = imap flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = imap flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto icmp from any to 192.168.1.0/24 keep state tag qwandef tagged unshaped
pass out on re0 inet proto icmp from any to 192.168.1.0/24 keep state tag qlandef tagged qwandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = microsoft-ds flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = microsoft-ds flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port 137:139 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port 137:139 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = rtsp flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = rtsp flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = rtsp flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = rtsp flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port 137:139 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port 137:139 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto icmp from 192.168.1.0/24 to any keep state tag qlandef tagged unshaped
pass out on rl0 proto icmp all keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = pop3 flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = pop3 flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = https flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = https flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = http flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = http flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = http flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = http flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = https flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = https flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = smtp flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = smtp flags S/SA keep state tag qwandef tagged qlandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = pop3 flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = pop3 flags S/SA keep state tag qwandef tagged qlandef
pass in on rl0 inet proto tcp from any to 192.168.1.0/24 port = smtp flags S/SA keep state tag qwandef tagged unshaped
pass out on re0 inet proto tcp from any to 192.168.1.0/24 port = smtp flags S/SA keep state tag qlandef tagged qwandef
pass in on re0 inet proto tcp from 192.168.1.0/24 to any port = snmp flags S/SA keep state tag qlandef tagged unshaped
pass out on rl0 proto tcp from any to any port = snmp flags S/SA keep state tag qwandef tagged qlandef
pass in on re0 inet from 192.168.1.0/24 to any flags S/SA keep state tag qP2PDown tagged unshaped
pass out on rl0 all flags S/SA keep state tag qP2PUp tagged qP2PDown
pass in on rl0 inet from any to 192.168.1.0/24 flags S/SA keep state tag qP2PUp tagged unshaped
pass out on re0 inet from any to 192.168.1.0/24 flags S/SA keep state tag qP2PDown tagged qP2PUp
pass in on re0 inet from 192.168.1.0/24 to any flags S/SA keep state tag qP2PDown tagged unshaped
pass out on rl0 all flags S/SA keep state tag qP2PUp tagged qP2PDown
pass in on rl0 inet from any to 192.168.1.0/24 flags S/SA keep state tag qP2PUp tagged unshaped
pass out on re0 inet from any to 192.168.1.0/24 flags S/SA keep state tag qP2PDown tagged qP2PUp
anchor "ftpsesame/" all
anchor "firewallrules" all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
anchor "loopback" all
pass in quick on lo0 all flags S/SA keep state label "pass loopback"
pass out quick on lo0 all flags S/SA keep state label "pass loopback"
anchor "packageearly" all
anchor "carp" all
pass quick inet proto icmp from 217.x.y.z to any keep state
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19000 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19001 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19002 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19003 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19004 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19005 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19006 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19007 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19008 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19009 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19010 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19011 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19012 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19013 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19014 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19015 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19016 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19017 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19018 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19019 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = 19020 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on re0 inet proto udp from any to 127.0.0.1 port = 19021 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 19022 flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on rl2 inet proto udp from any to 127.0.0.1 port = 19023 keep state label "NAT REFLECT: Allow traffic to localhost"
anchor "dhcpserverlan" all
pass in quick on re0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server on LAN"
pass in quick on re0 inet proto udp from any port = bootpc to 192.168.1.4 port = bootps keep state label "allow access to DHCP server on LAN"
pass out quick on re0 inet proto udp from 192.168.1.4 port = bootps to any port = bootpc keep state label "allow access to DHCP server on LAN"
block drop in log quick on rl0 inet proto udp from any port = bootps to 192.168.1.0/24 port = bootpc label "block dhcp client out wan"
block drop in on ! re0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.4 to any
block drop in on ! rl1 inet from 192.168.0.0/24 to any
block drop in inet from 192.168.0.4 to any
block drop in on ! rl2 inet from 192.168.11.0/24 to any
block drop in inet from 192.168.11.4 to any
block drop in on re0 inet6 from fe80::211:5bff:fe66:476e to any
block drop in on rl1 inet6 from fe80::20e:2eff:fef0:bd84 to any
block drop in on rl2 inet6 from fe80::2a1:b0ff:fe01:1259 to any
anchor "spoofing" all
anchor "limitingesr" all
block drop in quick from <virusprot>to any label "virusprot overload table"
anchor "firewallout" all
pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks) tagged qwandef
pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPUp, qwanacks) tagged qVOIPUp
pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PUp, qwanacks) tagged qP2PUp
pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qOthersUpH, qwanacks) tagged qOthersUpH
pass out quick on rl0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qwandef, qwanacks)
pass out quick on re0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks) tagged qlandef
pass out quick on re0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qVOIPDown, qlanacks) tagged qVOIPDown
pass out quick on re0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qP2PDown, qlanacks) tagged qP2PDown
pass out quick on re0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qOthersDownH, qlanacks) tagged qOthersDownH
pass out quick on re0 all flags S/SA keep state label "let out anything from firewall host itself" queue(qlandef, qlanacks)
pass out quick on rl1 all flags S/SA keep state label "let out anything from firewall host itself"
pass out quick on rl2 all flags S/SA keep state label "let out anything from firewall host itself"
pass out quick on enc0 all flags S/SA keep state label "IPSEC internal host to host"
pass out quick on rl1 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
pass out quick on rl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
pass out quick on rl2 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
pass out quick on rl2 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
anchor "anti-lockout" all
pass in quick on re0 inet from any to 192.168.1.4 flags S/SA keep state label "anti-lockout web rule"
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
anchor "ftpproxy" all
anchor "pftpx/" all
anchor "qwanRoot" all tagged qwanRoot
anchor "qlanRoot" all tagged qlanRoot
anchor "qwandef" all tagged qwandef
anchor "qlandef" all tagged qlandef
anchor "qwanacks" all tagged qwanacks
anchor "qlanacks" all tagged qlanacks
anchor "qVOIPUp" all tagged qVOIPUp
anchor "qVOIPDown" all tagged qVOIPDown
anchor "qP2PUp" all tagged qP2PUp
anchor "qP2PDown" all tagged qP2PDown
anchor "qOthersUpH" all tagged qOthersUpH
anchor "qOthersDownH" all tagged qOthersDownH
anchor "qOthersUpL" all tagged qOthersUpL
anchor "qOthersDownL" all tagged qOthersDownL
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 217.x.y.z port = ssh flags S/SA keep state label "USER_RULE: Allow in SSH port" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 217.x.y.z port = 10000 flags S/SA keep state label "USER_RULE: Allow in Managing port" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 217.x.y.z port 3388 >< 3391 flags S/SA keep state label "USER_RULE: Allow in RDPs port" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 217.x.y.z port >= 1025 flags S/SA keep state label "USER_RULE: Allow NAT to WAN in 1024-65535" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto udp from any to 217.x.y.z port >= 1025 keep state label "USER_RULE: Allow NAT to WAN in 1024-65535" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 192.168.1.0/24 port >= 1025 flags S/SA keep state label "USER_RULE: allow 1025-65535 to LAN incoming" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto udp from any to 192.168.1.0/24 port >= 1025 keep state label "USER_RULE: allow 1025-65535 to LAN incoming" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to 192.168.11.0/24 port >= 1025 flags S/SA keep state label "USER_RULE: allow 1025-65535 to LAN incoming" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto udp from any to 192.168.11.0/24 port >= 1025 keep state label "USER_RULE: allow 1025-65535 to LAN incoming" queue(qwandef, qwanacks)
pass in log quick on rl0 reply-to (rl0 217.x.y.g) inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: allow incoming DNS" queue(qwandef, qwanacks)
pass in log quick on rl0 reply-to (rl0 217.x.y.g) inet proto udp from any to any port = domain keep state label "USER_RULE: allow incoming DNS" queue(qwandef, qwanacks)
pass in quick on rl0 reply-to (rl0 217.x.y.g) inet proto icmp all no state label "USER_RULE" queue(qwandef, qwanacks)
pass in quick on rl2 inet from 192.168.1.0/24 to 192.168.11.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11"
pass in quick on rl2 inet from 192.168.11.0/24 to 192.168.1.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11"
pass in quick on rl2 inet from 192.168.11.0/24 to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on rl2 route-to (rl0 217.x.y.g) inet from 192.168.11.0/24 to any flags S/SA keep state label "USER_RULE: All goes to LB"
pass in quick on rl2 inet from 192.168.11.0/24 to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on rl2 route-to (rl1 192.168.0.1) inet from 192.168.11.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on rl2 inet proto icmp all keep state label "USER_RULE: Allow ICMP"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.0.4 port = ssh flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.0.4 port 3388 >< 3391 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.0.4 port = 10000 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.0.4 port >= 1025 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto udp from any to 192.168.0.4 port >= 1025 keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.11.0/24 port >= 1025 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto udp from any to 192.168.11.0/24 port >= 1025 keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to 192.168.1.0/24 port >= 1025 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto udp from any to 192.168.1.0/24 port >= 1025 keep state label "USER_RULE"
pass in log quick on rl1 reply-to (rl1 192.168.0.1) inet proto tcp from any to any port = domain flags S/SA keep state label "USER_RULE: allow incoming DNS"
pass in log quick on rl1 reply-to (rl1 192.168.0.1) inet proto udp from any to any port = domain keep state label "USER_RULE: allow incoming DNS"
pass in quick on rl1 reply-to (rl1 192.168.0.1) inet proto icmp all no state label "USER_RULE"
pass in quick on re0 inet from 192.168.11.0/24 to 192.168.1.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11" queue(qlandef, qlanacks)
pass in quick on re0 inet from 192.168.1.0/24 to 192.168.11.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11" queue(qlandef, qlanacks)
pass in quick on re0 inet from 192.168.1.0/24 to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on re0 route-to (rl0 217.x.y.g) inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: All goes to LB" queue(qlandef, qlanacks)
pass in quick on re0 route-to (rl1 192.168.0.1) inet proto tcp from 192.168.1.0/24 to 217.188.246.0/24 flags S/SA keep state label "USER_RULE: DE net" queue(qlandef, qlanacks)
pass in quick on re0 route-to (rl1 192.168.0.1) inet proto udp from 192.168.1.0/24 to 217.188.246.0/24 keep state label "USER_RULE: DE net" queue(qlandef, qlanacks)
pass in quick on re0 inet proto tcp from 192.168.1.0/24 to <vpns>port = 3389 flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for local network(s)"
pass in quick on re0 route-to (rl1 192.168.0.1) inet proto tcp from 192.168.1.0/24 to any port = 3389 flags S/SA keep state label "USER_RULE: RDP" queue(qlandef, qlanacks)
pass in quick on re0 inet proto icmp all no state label "USER_RULE" queue(qlandef, qlanacks)
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on re0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl0 inet proto tcp from any port = ftp-data to (rl0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = 8023 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl2 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
anchor "imspector" all
anchor "miniupnpd" all
block drop in log quick all label "Default deny rule"
block drop out log quick all label "Default deny rule"</vpns></vpns></vpns></vpns></sshlockout></virusprot></snort2c></snort2c> -
Я не вижу, какой IP присвоен rl2 - статический адрес?
и вот это правило на rl2 явно лишнее:
pass in quick on rl2 inet from 192.168.1.0/24 to 192.168.11.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11"а вот это на re0 лишнее:
pass in quick on re0 inet from 192.168.11.0/24 to 192.168.1.0/24 flags S/SA keep state label "USER_RULE: All between LAN and LAN11" queue(qlandef, qlanacks)Другими словами на LAN надо поставить:
Proto Source Port Destination Port Gateway
* LAN net * LAN11 net * *на LAN11 надо поставить:
Proto Source Port Destination Port Gateway
* LAN11 net * LAN net * *И желательно в тестовых целях их поставить первыми… а то там такая каша с QoS и loadbalancer'ом -(((