Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 02 Aug 2021 08:38:06 +0000
From:      alfadev via freebsd-ipfw <freebsd-ipfw@FreeBSD.org>
To:        Martin Beran <martin@mber.cz>
Cc:        "freebsd-ipfw@FreeBSD.org" <freebsd-ipfw@FreeBSD.org>, "freebsd-hackers@FreeBSD.org" <freebsd-hackers@FreeBSD.org>
Subject:   Re: How to Force Packet Traversal Order (IPFW2 => PF)
Message-ID:  <fv2AxuQ5R1suFH6GVt_V_Ryu7TC2rYppV8lfVvhgbShsjNpzoy3O1hgoBwvf5QFEFwcq3d4tk_RVd_SwOBEuPTsOFnswnRRMOflVBl_2cjw=@protonmail.com>
In-Reply-To: <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com>
References:  <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com> <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all ,
I made further research and found same issue (Multi WAN + Captive Portal no=
t working when pf+ipfw enabled same time) on OPNSENSE

first mention is here:
https://github.com/opnsense/core/issues/1166

here is the OPNSENSE solution:
https://git.furworks.de/opensourcemirror/opnsense-src/commit/83fd8a61b942d8=
4f553e53127c4be02b318f7cf4

https://reviews.freebsd.org/D8109
https://reviews.freebsd.org/D8109

i will try solutions above links and hope this helps me and others..

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90

On Sunday, August 1st, 2021 at 1:19 AM, Martin Beran <martin@mber.cz> wrote=
:

> p=C3=A1 30. 7. 2021 v 13:41 odes=C3=ADlatel alfadev via freebsd-ipfw <
>
> freebsd-ipfw@freebsd.org> napsal:
>
> > Hi,
> >
> > I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
> >
> > According to my observations firewalls are following this order all of =
my
> >
> > scenarios PF =3D> IPFW2. I see this exactly When i use PF's route-to op=
tion .
> >
> > When i create Load-Balancing rule using PF's route-to, packets not ente=
ring
> >
> > into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwi=
dth,
> >
> > captive portal etc. does not works.
> >
> > So that
> >
> > i am trying to do this order:
> >
> > input =3D> ipfw =3D> pf
> >
> > but i think i cannot change this order without touching kernel level .
> >
> > when i made some research i found this
> >
> > https://www.opennet.ru/tips/info/1431.shtml
>
> I think that you do not need to touch kernel source, nor build a custom
>
> kernel. The order of calling packet filtering modules depends on the orde=
r
>
> of registering the modules to packet processing hooks. Instead of loading
>
> the modules by their respective startup scripts, you can load them in the
>
> required order by including them in /etc/rc.conf in variable kld_list. I =
do
>
> not remember if the order of calling is the same or the opposite of the
>
> order of module loading.
>
> Martin Beran



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fv2AxuQ5R1suFH6GVt_V_Ryu7TC2rYppV8lfVvhgbShsjNpzoy3O1hgoBwvf5QFEFwcq3d4tk_RVd_SwOBEuPTsOFnswnRRMOflVBl_2cjw=>