From owner-freebsd-net@FreeBSD.ORG Sun Aug 15 14:02:02 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27AA210656A6 for ; Sun, 15 Aug 2010 14:02:02 +0000 (UTC) (envelope-from inigoortizdeurbina@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id E48208FC15 for ; Sun, 15 Aug 2010 14:02:01 +0000 (UTC) Received: by iwn10 with SMTP id 10so815020iwn.13 for ; Sun, 15 Aug 2010 07:02:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=K6MDli8BwM8gmqm/g+Kx35JpTgYJi+HjWJRP7i0ItEs=; b=LY0yvvs2ZgLqLB2IZgfGWIdFkgeoj4cjA7lkq6v7d5scWy7XeXigyK6R4jYFw/9Ut+ D2Zn6CMIKsQMxgBJ2DdSSd1D0Ni+BU5btE6wo4YLxLsN2PWUsDRF+YwA1M47n95vs6pl EiaUFklbIJwAWX/EGr7u3HZkqxJGBFvaQTyiY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=OZCpBGON6eLdcWph+kKF8017T4o33bzeB1AHFZQk9eeNFKVG//wwol7/MO4SX6ni7v aEdJKuhofKfYLE946G+8/k5Qh4pcOq7A2sHK+pfIMK5RZBqJ8upQYFs2NbyRL4T1/O/A Jp+YPIlA7Q3cOTonlukmzPBhdyvdjzWx/+Dnc= MIME-Version: 1.0 Received: by 10.231.146.196 with SMTP id i4mr3936314ibv.110.1281880921383; Sun, 15 Aug 2010 07:02:01 -0700 (PDT) Received: by 10.231.118.153 with HTTP; Sun, 15 Aug 2010 07:02:01 -0700 (PDT) In-Reply-To: <4C65BF26.8080507@gmail.com> References: <4C65BF26.8080507@gmail.com> Date: Sun, 15 Aug 2010 16:02:01 +0200 Message-ID: From: =?UTF-8?Q?I=C3=B1igo_Ortiz_de_Urbina?= To: Henry Graterol , freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: Subject: Re: PF+OpenVPN+tap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Aug 2010 14:02:02 -0000 Can you post your pf.conf? Did you check which packets are blocked and when? You can use pfctl, pftop, pflog for this :) Spawn some xterms and monitor the network while your clients attach to your vpn, maybe you can spot the problem On 8/13/10, Henry Graterol wrote: > Hello, > > Before I start let me state that I am not an expert on freebsd, I do > enjoy it and consider it a hobby, and love it! > > I have a problem. I use a freebsd server behind a router/gateway to > connect clients with openvpn. I started to notice weird traffic so I > decided to try PF to control traffic. My openvpn setup uses a tap > adapter and a bridge adapter bridging the vpnclient_ips and the server_ip. > > Without PF everything works fine, so no problem there. When I activate > PF I can establish connection to the server_ip from outside thru the vpn > but I can not ping, connect to clients or the internet. After trial and > error the setup that worked for me was to skip filter on bridge0 and > tap0. With this in my configuration vpn worked as before. > > Now the problem, when I reboot the system my vpn allows connections but > repeats the past scenario (no ping, connection to clients, internet, > etc) The fix I have found is to let the system reboot and then issue a > pfctl -f /etc/pf.conf to reload the rules. Then everything works again. > > My guest is that PF is loading before the bridge and tap adapters come > up so that is somehow skipped from loading. My tap connection is set up > to come up from a script when it gets a connection from openvpn. > > Is this a correct guest? What else could be the problem? > > Thank you in advance for your feedback! > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >