> где правила PF? таблицы используете в правилах?Таблицы использую. А это может повлиять на таблицу состояний?
int_if="hn0"
ext_if="hn1"
guest_if="hn2"
vpn_if="{ ng0 ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 }"
hypervserver="10.1.1.254"
tserver="10.1.1.101"
dbserver="10.1.1.100"
smallserver="10.1.1.98"
hypervsupero="10.1.1.1"
1c_virtual="10.1.1.2"
office4="95.95.95.95"
office2="94.94.94.94"
timeserver="13.79.239.69"
ftpserver="96.96.96.96"
testserver="89.89.89.89"
table <lan_net> { 10.1.1.0/24, !$1c_virtual, !$tserver, !$dbserver, !$hypervserver, !$smallserver }
table <eset_servers> { 91.228.166.13 91.228.166.14 91.228.166.15 91.228.166.16 91.228.167.132 91.228.167.133 38.90.226.36 38.90.226.37 38.90.226.38 38.90.226.39 91.228.166.88 38.90.226.40 91.228.167.26 91.228.167.21 188.225.81.21 119.29.72.159 41.71.77.123 }
table <liga_servers> { 193.17.46.21 }
table <medoc_servers> { 212.90.186.150 212.90.165.230 212.90.165.228 185.149.40.57 212.90.172.234 213.156.90.132 213.156.90.131 217.76.198.151 195.230.128.103 212.90.163.21 91.142.165.86 77.88.192.114 185.149.40.43 131.253.61.96 194.247.13.252 185.149.40.62 217.76.198.135 198.41.214.154 }
table <uz_servers> { 195.149.70.70 195.149.70.69 }
table <md_servers> { 195.191.24.91 176.111.61.59 195.225.228.133 80.78.34.253 80.78.35.11 80.78.34.254 80.78.34.252 }
table <winupdate_servers> file "/etc/pf.tables/winupdate_servers"
finance_ua="89.184.80.14"
table <netbooks> { $office2 77.77.77.1 77.77.77.2 77.77.77.3 77.77.77.4 }
auditor="46.46.46.46"
set skip on lo0
scrub in all no-df
# NAT for LAN
nat on $ext_if from <lan_net> to any -> $ext_if
nat on $ext_if from $tserver to <md_servers> -> $ext_if
nat on $ext_if from $tserver to <eset_servers> -> $ext_if
nat on $ext_if from $tserver to $finance_ua -> $ext_if
nat on $ext_if from $dbserver to { $ftpserver $testserver } -> $ext_if
nat on $ext_if from $hypervserver to <liga_servers> -> $ext_if
nat on $ext_if from $smallserver to <uz_servers> -> $ext_if
nat on $ext_if from $smallserver to <medoc_servers> -> $ext_if
nat on $ext_if proto { tcp udp } from $hypervserver to $timeserver port 123 -> $ext_if
nat on $ext_if from { $hypervserver $tserver $dbserver $smallserver $1c_virtual } to <winupdate_servers> -> $ext_if
# NAT for GUEST WIFI
nat on $ext_if from 192.168.0.0/24 to any -> $ext_if
# For netbooks: RDP, Nod32 updates, Jabber, LDAP
rdr pass on $ext_if proto tcp from <netbooks> to $ext_if port { 3389 2221 5222 3268 } -> 10.1.1.101
# For netbooks working in local wifi
rdr on $int_if proto tcp from <lan_net> to $ext_if port { 5222 3389 2221 3268 } -> 10.1.1.101
nat on $int_if proto tcp from <lan_net> to 10.1.1.101 port { 5222 3389 2221 3268 } -> $ext_if
# For Auditor direct connection RDP
rdr pass on $ext_if proto tcp from $auditor to $ext_if port 42376 -> 10.1.1.101 port 3389
# For access to DVR from LAN, guest wifi and WAN
nat on $int_if proto tcp from any to 10.1.1.64 port { 80 37777 } -> $ext_if
rdr pass on { $int_if $guest_if $ext_if } proto tcp from any to $ext_if port 10576 -> 10.1.1.64 port 80
rdr pass on { $int_if $guest_if $ext_if } proto tcp from any to $ext_if port 37777 -> 10.1.1.64
# open direct RDP for office4
rdr pass on $ext_if proto tcp from $office4 to $ext_if port 3389 -> 10.1.1.101
# DEFAULT POLICY
block in
pass out
block out on $ext_if from any to 217.20.163.54
# open inetrnal interface
pass in on $int_if from any to any
# open guest interface for nat, dhcp and dns
pass in on $guest_if from any to !10.0.0.0/8
pass in on $guest_if proto udp from any to $guest_if port 67
pass in on $guest_if proto { tcp udp } from any to $guest_if port 53
# allow ssh-connections
pass in on $ext_if proto tcp from any to $ext_if port ssh synproxy state
# allow pptp-connections
pass in on { $ext_if $int_if $guest_if } proto tcp from any to $ext_if port 1723
pass in on { $ext_if $int_if $guest_if } proto gre from any to $ext_if
# RULES FOR VPN
pass in on $vpn_if proto icmp from any to any
pass in on tun0 from { 10.1.2.220 10.1.2.139 10.1.2.7 10.1.2.8 10.1.2.1 10.1.2.2 10.1.2.64 10.1.2.59 10.1.27.0/24 } to 10.1.1.0/24
pass in on $vpn_if from 10.1.2.250 to { 10.1.1.64 10.1.1.97 10.1.1.1 }
pass in on $vpn_if from 10.1.3.0/24 to { $int_if $tserver 10.1.3.0/24 }
pass in on $vpn_if from { 10.1.4.129 10.1.4.150 10.1.4.151 10.1.4.152 10.1.4.153 10.1.4.154 } to { $int_if $tserver $smallserver 10.1.1.59 }
pass in on $vpn_if from 10.1.4.153 to any
pass in on $vpn_if proto { tcp udp } from 10.1.4.0/24 to $tserver port 53
pass in on $vpn_if from 10.1.0.9 to { $tserver $dbserver }
pass in on $vpn_if from 10.1.0.10 to { $tserver $dbserver }
pass in on $vpn_if from 10.1.0.159 to any
pass in on $vpn_if from 10.1.0.63 to $tserver
pass in on $vpn_if from 10.1.0.213 to $tserver
pass in on $vpn_if from 10.1.0.22 to $tserver
pass in on $vpn_if proto tcp from 10.1.0.24 to { $int_if $tserver } port { 25 110 5222 }
pass in on $vpn_if from 10.1.0.23 to $tserver
pass in on $vpn_if from 10.1.0.91 to { $tserver 10.1.1.91 }
pass in on $vpn_if proto tcp from 10.1.0.214 to $int_if port { 25 110 }
pass in on $vpn_if proto tcp from 10.1.0.214 to $tserver port 3268
pass in on $vpn_if proto tcp from 10.1.0.224 to $int_if port { 25 110 }
pass in on $vpn_if proto tcp from 10.1.0.37 to $smallserver port 3389
pass in on $vpn_if from 10.1.0.197 to $tserver
pass in on $vpn_if from 10.1.0.30 to { $int_if $tserver }
pass in on $vpn_if from 10.1.0.201 to $smallserver
# For netbooks: mail
pass in on $ext_if proto tcp from <netbooks> to $ext_if port { 26 110 }
# IP-telephony for Ivan
pass in on $ext_if proto tcp from any to $ext_if port 26354
pass in on $ext_if proto udp from any to $ext_if port 10000:10100
# Allow ping
pass in inet proto icmp all icmp-type echoreq keep state
# OpenVPN Server
pass in on $ext_if proto { tcp udp } from $office2 to $ext_if port 1194
