Firewall cant access internet

For some reason my openbsd firewall cannot access the internet. For instance I cannot ping my internet gateway router, or ping yahoo.com or even the ip for yahoo.

The reason I need this is because I'd like to D/L Packages VIA FTP. I cannot do this without internet access.

I also want to use Dynamic DNS so when my wan ip chnages my dns hosts are setup at zoneedit.com

My pcs and devices on the network can ping eveything and use the internet odd.

Some more info on the problem. Here is my setup and config

Internet Gateway 24.200.249.1
|
|
Motorola Cable modem
|
|
Vr1(WAN 24.200.249.219 open Bsd) Vr2(not being used yet)
|
|
Vr0(10.20.25.1/24 LAN Open Bsd)
|
|
Client that works 10.20.25.25/24 Gateway 10.20.25.1

Destination Gateway Flags Refs Use Mtu Interface
default 24.200.249.1 UGS 1 15340 - vr1
10.20.25/24 link#1 UC 1 0 - vr0
10.20.25.25 0:1:80:21:c9:de UHLc 2 12023 - vr0
24.200.249/24 link#2 UC 1 0 - vr1
24.200.249.1 0:1:5c:23:56:92 UHLc 1 71 - vr1
24.200.249.219 127.0.0.1 UGHS 0 11 33224 lo0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 73 33224 lo0
224/4 127.0.0.1 URS 0 0 33224 lo0

Pf.conf
Importatn parts...

ext_if1 = "vr1"
ext_if2 = "vr2"
int_if = "vr0"
lan_net = "10.20.25.0/24"

set skip on lo0

nat on vr1 from vr0:network to any -> (vr1)
rdr pass on $ext_if1 proto {tcp, udp} from any to any port 3389 -> 10.20.25.25

block in on $ext_if1 all

antispoof quick for { lo $int_if }

Bublitz...

according to your routing table, your outside interface isn't on the same network as the gateway, so you won't be able to hit it.

Your IP and gateway always need to be in the same subnet.
verify the netmask and gateway with your isp.

Based on the addresses given, your netmask would need to be 255.0.0.0 to include the 24.119.x.x and 24.200.x.x in the same subnet, so you can use 24.200 as the gateway.

OOPS!

Ok look again! I typed it wrong!

That is not the problem just a typo.

ok, this looks like the issue is with the pf.conf.

Try setting your pf.conf to pass all and see if the situation changes (obviously not something you want to do permanently, but it is a good test to nail down whether or not the issue is with packet filter, or your connection to the isp.)

Or, try running tcpdump on the outside interface when you test connectivity. You should see the request leave the outside and reply come back. If the reply comes back, but the ping still failed, i would say that pf is dropping it.

i would try adding the following to your conf -

pass out on $external keep state

you may also want to add pass in/out quick for the internal interface, just to ensure that it is not blocking the traffic before it gets a chance to be translated and sent out.


hopefully this helps.

Thanks I will try these things. Still seems odd it would block itself and not my clients. My pg.confg doesn't have any blocking of out outgoing traffic.

pass out on $ext_if1 keep state

Ill try this first it's in the pf.conf but its commented out.

Anyone know of a command that allows you to update the pf.confg changes without a reboot?