From owner-freebsd-questions@freebsd.org Thu Sep 3 11:51:34 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E6CA9C90EC for ; Thu, 3 Sep 2015 11:51:34 +0000 (UTC) (envelope-from grigorian@theconcept.ru) Received: from mail.theconcept.ru (mail.theconcept.ru [62.141.91.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.theconcept.ru", Issuer "Concept Issuing CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 67865BB7 for ; Thu, 3 Sep 2015 11:51:32 +0000 (UTC) (envelope-from grigorian@theconcept.ru) From: Sergey Grigorian To: "freebsd-questions@freebsd.org" Subject: 10.2-RELEASE not forwarding packets/NATing with pf Thread-Topic: 10.2-RELEASE not forwarding packets/NATing with pf Thread-Index: AdDmPpAd8dAIyZkgTd2lE3h5r9y0Eg== Date: Thu, 3 Sep 2015 11:49:17 +0000 Message-ID: <5C137CAA56211A448C4F58E75EFB6266C285B582@EXCHANGE.lan.theconcept.ru> Accept-Language: en-US, ru-RU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-KSE-AntiSpam-Interceptor-Info: internally-submitted e-mail X-KSE-ServerInfo: GATEWAY.lan.theconcept.ru, 9 X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2015 11:51:34 -0000 Hello list. I'm observing a weird thing with pf.conf/packet forwarding after upgrading = from 10.1-RELEASE-p19 to 10.2-RELEASE. I have a simple lan gateway with a primitive pf.conf which is running just = fine on 10.1-RELEASE-p19, performing some pretty minimal . However, once I upgrade to 10.2-RELEASE kernel -- that is, after the first = restart during "freebsd-update upgrade -r 10.2-RELEASE" -- the box wont nat= or forward packets anymore. What could be the reason for this? Has anything change about pf between 10.= 1 and 10.2? Where do I look? Am I missing soething obvious? Thanks. Here's the /etc/pf.conf: ext_if=3D"hn0" int_if=3D"hn1" set block-policy return set loginterface $ext_if set skip on lo scrub in nat pass log on $ext_if inet from !($ext_if) -> ($ext_if:0) rdr pass on $ext_if proto tcp from any to any port 10022 -> 172.16.1.3 port= ssh rdr pass on $ext_if proto tcp from any to any port 10122 -> 172.16.1.4 port= ssh rdr pass on $ext_if proto tcp from any to any port 10222 -> 172.16.1.5 port= ssh pass all And here's /etc/sysctl.conf: net.inet.ip.forwarding=3D1 And here's kldstat for completeness sake: Id Refs Address Size Name 1 14 0xffffffff80200000 179ddb0 kernel 2 1 0xffffffff8199e000 2f9b00 zfs.ko 3 2 0xffffffff81c98000 6048 opensolaris.ko 4 1 0xffffffff81e11000 26d1 pflog.ko 5 1 0xffffffff81e14000 32e6f pf.ko