Internet –> WRT54GL –> Soekris net5501 with pfSense –>
|– 24-port switch –> VPN server
|– WRT54GL

There’s two wireless routers on this network, the second one acts just like a regular access point, doesn’t do NAT or anything on it’s own, the Soekris machine allows clients to log on the wireless network and get an IP via DHCP (Different range from the internal network), and nothing else, except connecting to 10.0.1.7 on port 1194, which is the VPN on the internal network. Once users log onto that, they are part of the internal network, and can get on the Internet and the like. The VPN server also allows for people on the Internet to connect to it. So that I could go to China, and keep my liberty in cyberspace.
The only thing it does is VPN, so I would like to limit traffic to only VPN, SSH and pings. So far this is what I’ve got:

## Macros
eth_if=”gem0″
vpn_if=”tun0″

## Options
set block-policy return
set skip on lo0
scrub in all
antispoof quick for { $eth_if, $vpn_if }

## Filtering rules
block in all
pass out log all

pass inet proto icmp all icmp-type { echoreq, unreach }

pass in log on $eth_if proto tcp to ($eth_if) port 22
pass in log on $eth_if proto udp to ($eth_if) port 1194
pass in log on $vpn_if

But the VPN doesn’t work with that enabled.

Its a long time since i wrote this howto and i have lots of machines with different pf.conf setups. What sort of setup are you trying to achieve?

Glad it was helpful.