Date: Wed, 18 Sep 2024 23:34:16 +0200 From: Benoit Chesneau <bchesneau@icloud.com> To: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.org> Subject: issue with ICMP with PF and nat and latest 14.1 Message-ID: <764EE8F1-BE88-4714-AD3F-9D93028FFEC4@icloud.com>
next in thread | raw e-mail | index | archive | help
Hi,
It seems that since the latest update of PF in FreeBSD 14.1 mtr doesn't =
provide a correct trace using the default. It works with the ``--udp` =
and `-T` options so it doesn't seem to be an issue with the next hop. =
Also mtr works perfectly on the firewall machine. Issue only happen on =
the nated machines on the lan behind it. No issue with ipv6.
I tried to change the config or pass everything but I still reproduce =
the issue. Any idea to troubleshoot/fix it is welcome :)
Eg of trace:
```
MacBook-Pro-de-Benoit-8.local (10.0.1.62) -> 1.1.1.1 (1.1.1.1) =
=
2024-09-18T11:32:29+0200Keys: Help Display mode Restart statistics =
Order of fields quit
=
Packets Pings
Host =
Loss% Snt Last Avg Best Wrst =
StDev
1. 10.0.1.1 =
0.0% 11 4.7 6.4 3.6 22.6 =
5.7
2. (waiting for reply)
3. (waiting for reply)
4. (waiting for reply)
5. (waiting for reply)
6. one.one.one.one =
0.0% 10 6.8 6.6 5.6 11.7 =
1.8
```
The configuration of PF is the following
```
table <lan> persist file "/etc/pf/lan.tbl"
IP_OUT =3D "<EDITED>"
ext_if =3D "vlan200"
vlan_ifs =3D "{ vlan10, vlan20, vlan30, vlan31, vlan110, vlan120 }"
# Macros
set block-policy drop
set skip on lo
# Options
scrub in all fragment reassemble # Normalize and reassemble fragmented =
packets
#scrub in all
# nat
nat from <lan> to !<lan> -> $IP_OUT
# Explicitly block unroutable addresses
antispoof quick for ($ext_if)
#pass proto icmp all
# Drop invalid packets
block in quick on $ext_if inet proto tcp all flags FUP/FUP # Dropping =
invalid TCP packets
block in quick on $ext_if inet proto tcp all flags S/SAFRUP # Dropping =
weird flags
# Allow all outgoing traffic from the internal network (LAN)
pass out on $ext_if from any to any keep state
# Allow incoming established and related connections (untracked)
pass in on $ext_if proto tcp from any to any flags S/SA modulate state
pass in on $ext_if proto { udp, icmp, icmp6 } from any to any keep state
# Allow ICMP traffic for mtr (Echo Request, Echo Reply, Time Exceeded)
pass in inet proto icmp icmp-type { echoreq, echorep, timex } keep state
pass out inet proto icmp icmp-type { echoreq, echorep, timex } keep =
state
```
I also tried a simpler version:
```
# Allow all outgoing traffic
pass out on $ext_if all
# Allow all incoming ICMP
pass in inet proto icmp from any to any
```
While no errors, mtr on the lan still doesn't work. I have also tried to =
log it :
```
pass in log proto icmp all
```
but no log appears. I am clue less right now. It seems the error is =
related to `ICMP time exceeded in-transit` but I thought the issue would =
be solved by the configuration below. What I'm missing?
Beno=C3=AEt=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?764EE8F1-BE88-4714-AD3F-9D93028FFEC4>