Date: Mon, 02 Aug 2021 08:38:06 +0000 From: alfadev via freebsd-ipfw <freebsd-ipfw@FreeBSD.org> To: Martin Beran <martin@mber.cz> Cc: "freebsd-ipfw@FreeBSD.org" <freebsd-ipfw@FreeBSD.org>, "freebsd-hackers@FreeBSD.org" <freebsd-hackers@FreeBSD.org> Subject: Re: How to Force Packet Traversal Order (IPFW2 => PF) Message-ID: <fv2AxuQ5R1suFH6GVt_V_Ryu7TC2rYppV8lfVvhgbShsjNpzoy3O1hgoBwvf5QFEFwcq3d4tk_RVd_SwOBEuPTsOFnswnRRMOflVBl_2cjw=@protonmail.com> In-Reply-To: <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com> References: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com> <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all , I made further research and found same issue (Multi WAN + Captive Portal no= t working when pf+ipfw enabled same time) on OPNSENSE first mention is here: https://github.com/opnsense/core/issues/1166 here is the OPNSENSE solution: https://git.furworks.de/opensourcemirror/opnsense-src/commit/83fd8a61b942d8= 4f553e53127c4be02b318f7cf4 https://reviews.freebsd.org/D8109 https://reviews.freebsd.org/D8109 i will try solutions above links and hope this helps me and others.. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Sunday, August 1st, 2021 at 1:19 AM, Martin Beran <martin@mber.cz> wrote= : > p=C3=A1 30. 7. 2021 v 13:41 odes=C3=ADlatel alfadev via freebsd-ipfw < > > freebsd-ipfw@freebsd.org> napsal: > > > Hi, > > > > I have to use both IPFW and PF sametime in my freebsd 12.2 gateway > > > > According to my observations firewalls are following this order all of = my > > > > scenarios PF =3D> IPFW2. I see this exactly When i use PF's route-to op= tion . > > > > When i create Load-Balancing rule using PF's route-to, packets not ente= ring > > > > into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwi= dth, > > > > captive portal etc. does not works. > > > > So that > > > > i am trying to do this order: > > > > input =3D> ipfw =3D> pf > > > > but i think i cannot change this order without touching kernel level . > > > > when i made some research i found this > > > > https://www.opennet.ru/tips/info/1431.shtml > > I think that you do not need to touch kernel source, nor build a custom > > kernel. The order of calling packet filtering modules depends on the orde= r > > of registering the modules to packet processing hooks. Instead of loading > > the modules by their respective startup scripts, you can load them in the > > required order by including them in /etc/rc.conf in variable kld_list. I = do > > not remember if the order of calling is the same or the opposite of the > > order of module loading. > > Martin Beran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fv2AxuQ5R1suFH6GVt_V_Ryu7TC2rYppV8lfVvhgbShsjNpzoy3O1hgoBwvf5QFEFwcq3d4tk_RVd_SwOBEuPTsOFnswnRRMOflVBl_2cjw=>