Date: Tue, 23 Aug 2022 05:44:56 -0400 From: mike tancsa <mike@sentex.net> To: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com>, questions@freebsd.org Subject: Re: Problems betwwen pf in FreeBSD 13 and WireGuard Message-ID: <829efc01-634d-c9ae-f1e1-4e8213c0cf5e@sentex.net> In-Reply-To: <PRAP251MB05672A79A03A28AB4D027979DB709@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM> References: <PRAP251MB05672A79A03A28AB4D027979DB709@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/23/2022 2:16 AM, Carlos López Martínez wrote:
> set skip on { lo wg0 }
I would avoid the skip part as it often leads to unexpected troubles.
Instead, add rules to allow traffic on those interfaces as you would
expect. If I would have to guess, there is no state rule on traffic
egressing the wg0 interface to your internal network and hence gets dropped.
> # Allow ICMP requests to check default route
> pass out on egress inet proto icmp from (self) icmp-type echoreq label
> "Allow ICMP requests for public interface"
>
Dont think its releated, but "self" is often not dynamically updated as
interfaces come and go and IP addresses added / deleted I find. If you
can, hook in up/down events on wg0 to reload the pf rules. Or for now,
after your wg interface is up, pfctl -f /etc/pf.conf to reload the
ruleset so that the self table is updated. Also, where do you add the
IPs to your tables ? Instead of tables, try and use macros while you are
debugging the rulesets. I also find helpful when debugging is to use
pfctl -sr
and
pfctl -sr -v (to show rule numbers that match /var/log/pflog)
that way you see how the macros are expanding as it sometimes doesnt
parse the way you expect.
---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?829efc01-634d-c9ae-f1e1-4e8213c0cf5e>