strnz_if="re1"
ttk_if="re2"
int_if="re0"
#Это как раз тот интерфейс, который создается при подключении второй сети с адресом 192.168.11.6
rb_if='ng2'gw_strnz="85.x.x.229"
strnz_ip="85.x.x.230"
gw_ttk="192.168.22.1"
ttk_ip="192.168.22.2"
#ip адрес подключения из второй сети
gw_rb='192.168.11.6'
int_net="192.168.11.0/24"
ttk_net="192.168.22.0/24"
#подсеть второй сети
rb_net="192.168.0.0/24"
to_strnz="{ 192.168.11.2, 192.168.11.3, 192.168.11.4 }"
services_ext="{ 22 25 53 80 }"
icmp_types="{ echoreq, unreach}"
set block-policy return
set skip on lo0
scrub in all
nat on $strnz_if from $int_net to any -> ($strnz_if)
nat on $ttk_if from $int_net to any -> ($ttk_if)
rdr on $ttk_if inet proto tcp from any to any port 25 -> 192.168.11.17 port 25
#перенаправление трафика адресованного в подсеть второй сети в интерфейс, который знает где эта сеть.
rdr on $int_if inet proto tcp from any to $rb_net -> ($rb_if)
block all
pass in on $ttk_if inet proto { tcp,udp } from any to any port $services_ext flags S/SA keep state
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port ssh keep state
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port ssh keep state
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 1723
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 1723
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 25
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 110
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 110
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 143
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 143
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 21
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 21
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 80
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 80
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto tcp from any to $strnz_if port 53
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto tcp from any to $ttk_if port 53
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto udp from any to $strnz_if port 53
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto udp from any to $ttk_if port 53
pass in on $strnz_if reply-to ($strnz_if $gw_strnz) proto icmp from any to $strnz_if icmp-type $icmp_types
pass in on $ttk_if reply-to ($ttk_if $gw_ttk) proto icmp from any to $ttk_if icmp-type $icmp_types
pass quick on $int_if from any to any
pass quick from $int_net to $int_net
#разрешаем все на интерфейсе из второй сети
pass on $rb_if from any to any
#перенаправляем трафик пришедший на интерфейс первой локальной сети и адресованный во вторую сеть в интерфейс из второй сети.
pass in quick on $int_if route-to ($rb_if $gw_rb) from $int_net to $rb_net keep state
pass in quick on $int_if route-to ($ttk_if $gw_ttk) from $int_net to $ttk_net keep state
pass in quick on $int_if route-to ($strnz_if $gw_strnz) from $to_strnz to any keep state
pass in quick on $int_if route-to ($ttk_if $gw_ttk) from $int_net to any keep state
#перенаправляем весь исходящий трафик от vpn интерфейса из второй сети в этот канал.
pass out quick route-to ($rb_if $gw_rb) from $rb_if to any keep state
pass out quick route-to ($strnz_if $gw_strnz) from $strnz_if to any keep state
pass out quick route-to ($ttk_if $gw_ttk) from $ttk_if to any keep state
Вариант для распечатки
