From owner-freebsd-net@freebsd.org Mon Jan 18 23:03:39 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66E5CA8778A for ; Mon, 18 Jan 2016 23:03:39 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2FC8013C2 for ; Mon, 18 Jan 2016 23:03:39 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 752BE67C18; Tue, 19 Jan 2016 00:03:36 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id gSgOUIM-PNrh; Tue, 19 Jan 2016 00:02:59 +0100 (CET) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id DEA3067BE9; Tue, 19 Jan 2016 00:02:59 +0100 (CET) Received: from bsdmhs.longwitz (unknown [192.168.99.6]) by mail.local.incore (Postfix) with ESMTP id 5854750895; Tue, 19 Jan 2016 00:02:59 +0100 (CET) Message-ID: <569D6F22.1000405@incore.de> Date: Tue, 19 Jan 2016 00:02:58 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: "Bjoern A. Zeeb" CC: freebsd-net@freebsd.org Subject: Re: pf not seeing inbound packets coming from IPSec on epair interface References: <569D0F2F.8060508@incore.de> <5ADF2343-7643-41ED-B2AE-8A94A3478B95@lists.zabbadoz.net> In-Reply-To: <5ADF2343-7643-41ED-B2AE-8A94A3478B95@lists.zabbadoz.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2016 23:03:39 -0000 Hi, thanks for answer. >> in the situation >> IPSec --> epair0a --> epair0b --> em1 >> pf does not see inbound packets on the interface epair0b, because the >> epair driver does not clear the flag PACKET_TAG_IPSEC_IN_DONE when he >> transfers a packet from epair0a to epair0b. The following patch for >> FreeBSD 10 works for me and is adapted from >> lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html: > > Where does epair get the packet from? A physical interface bridged to epair? I use epair on a firewall machine FW running to serve VPN's for IPhones (IPSec with XAuth). Every user gets an IP (racoon + freeradius) to use in his tunnel, the tunnel IP of FW is fix. Different user groups must connect to different mail server in my network. FW has two hardware interfaces em0 (internet) and em1 (intranet), no jails, no bridges. I use the rdr command of pf on interface epair0b to redirect the user to the correct mailserver before the packets leaves my FW on interface em1 (with nat and a pass rule using reply-to ( epair0b $ip_epair0a). I am not aware of another method to rewrite the destination address of an IPSec incoming packet on the same machine, therefore the use of epair. > Hmm, but then if you are using epairs to cross between network stacks, you are > changing boundries, indeed, so if you’d run ipsec on a single epair between two > VNETs, that might be interesting as well? I think epair should behave identical to em2 + em3 with a crossover cable, but I do not have enough network interfaces. > I guess we’ll need to find a couple of these places (epair, bridge, netgraph, …) > and make sure we strip all of the tags IFF we change the VNET? I think so. One example is mentioned in lists.freebsd.org/pipermail/freebsd-net/2012-January/031161.html for Clients using a VPN with L2TP over IPSec (racoon + mpd5). Dr. Andreas Longwitz Data Service GmbH Beethovenstr. 2A 23617 Stockelsdorf Amtsgericht Lübeck, HRB 318 BS Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau