From owner-freebsd-net@FreeBSD.ORG Fri Aug 13 22:17:47 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D21E1065695 for ; Fri, 13 Aug 2010 22:17:47 +0000 (UTC) (envelope-from hgratp@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 055998FC08 for ; Fri, 13 Aug 2010 22:17:46 +0000 (UTC) Received: by ywk9 with SMTP id 9so1388535ywk.13 for ; Fri, 13 Aug 2010 15:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=iw7MTk9MZeQKqfgj1B7V0BoPwetJpLn8Ff6sVK+yC3c=; b=VwvjxfXEKhPt/PCsQW1BCCITN2PXlbsV/vOwebX1q5Cy0UFvd/VE0oxcCKY6il14vx 5s16xGB+BoNym/YSGhAU/8EnIxBLwM2oCgMbBemJmM5nLaW6qAgIUh9hDDCOjqjL2QUc xnwjsd9uTc7ABDtdhXtMgeNBcdkArxx3ZgQcs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=ATnTYTsIHWg3e9dG4KR6rSMX9hRPqlsF4QhKOS2xr22e+JF+zjsKPtSNoh6f2QK+5z ofLsTHm9uGs0u/qrPPqYfh4YTt3//HEbukF0W6idEJegGw8NH4lHrk1mXlFWKBQ14HT5 kxR0/l2BBshIpfux2ejdS4m4bkWC6dmI38xuY= Received: by 10.100.139.10 with SMTP id m10mr2592058and.132.1281736487976; Fri, 13 Aug 2010 14:54:47 -0700 (PDT) Received: from [192.168.7.201] (c-71-196-123-7.hsd1.fl.comcast.net [71.196.123.7]) by mx.google.com with ESMTPS id i25sm4890411anh.17.2010.08.13.14.54.46 (version=SSLv3 cipher=RC4-MD5); Fri, 13 Aug 2010 14:54:47 -0700 (PDT) Message-ID: <4C65BF26.8080507@gmail.com> Date: Fri, 13 Aug 2010 17:54:46 -0400 From: Henry Graterol User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 13 Aug 2010 22:25:03 +0000 Subject: PF+OpenVPN+tap X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2010 22:17:47 -0000 Hello, Before I start let me state that I am not an expert on freebsd, I do enjoy it and consider it a hobby, and love it! I have a problem. I use a freebsd server behind a router/gateway to connect clients with openvpn. I started to notice weird traffic so I decided to try PF to control traffic. My openvpn setup uses a tap adapter and a bridge adapter bridging the vpnclient_ips and the server_ip. Without PF everything works fine, so no problem there. When I activate PF I can establish connection to the server_ip from outside thru the vpn but I can not ping, connect to clients or the internet. After trial and error the setup that worked for me was to skip filter on bridge0 and tap0. With this in my configuration vpn worked as before. Now the problem, when I reboot the system my vpn allows connections but repeats the past scenario (no ping, connection to clients, internet, etc) The fix I have found is to let the system reboot and then issue a pfctl -f /etc/pf.conf to reload the rules. Then everything works again. My guest is that PF is loading before the bridge and tap adapters come up so that is somehow skipped from loading. My tap connection is set up to come up from a script when it gets a connection from openvpn. Is this a correct guest? What else could be the problem? Thank you in advance for your feedback!