Date: Thu, 16 Mar 2017 08:17:08 -0700 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <eri@freebsd.org> To: Mike Tancsa <mike@sentex.net> Cc: Kristof Provost <kristof@sigsegv.be>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: pf bug with tun interfaces ? Message-ID: <CAPBZQG1O=v1CRTBjAK6r9wmqJmfxmKnovLR06_-FQL16nnaAsQ@mail.gmail.com> In-Reply-To: <f864a792-dbed-4fe7-a51b-fc008f00cf2d@sentex.net> References: <1b605589-9642-ee92-fb9b-9ff5b4798316@sentex.net> <e1679f63-247c-1da6-8f57-30c5dd23304e@sentex.net> <AD6E6EB9-9FD8-4B9C-B401-2D750F17FA40@sigsegv.be> <6582cf37-08b0-9083-0c3e-1396a885d005@sentex.net> <CD5336F5-4146-4F2E-A92C-D74717979A92@sigsegv.be> <CAPBZQG1ERvAfB2XwXZN=hy0t9-DyUN8PT6JpR95Fp7YJqNtuxA@mail.gmail.com> <f864a792-dbed-4fe7-a51b-fc008f00cf2d@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 16, 2017 at 6:12 AM, Mike Tancsa <mike@sentex.net> wrote: > On 3/16/2017 2:15 AM, Ermal Lu=C3=A7i wrote: > > > > > > On Wed, Mar 15, 2017 at 7:33 PM, Kristof Provost <kristof@sigsegv.be > > <mailto:kristof@sigsegv.be>> wrote: > > > > On 15 Mar 2017, at 22:10, Mike Tancsa wrote: > > > > On 3/15/2017 4:28 AM, Kristof Provost wrote: > > > > I don=E2=80=99t see any obvious reason why that would happe= n. > > > > Can you reduce this to a minimal test setup and include > > rc.conf, pf.conf, =E2=80=A6 > > with a bug report in bugzilla? > > > > > > is it possible that its how OpenVPN sets up the tun interface ? > > Otherwise nat via pf on ppp connections would not work either. > > > > I=E2=80=99m not aware of anything, but I=E2=80=99m not very familia= r with OpenVPN. > > > > > > The only time this will not work is when tun interface does not have an > > ip assigned. > > So your rule will not work with (tun) syntax. > > > > Otherwise it does not depend on anything else other than general ifnet > > What FreeBSD Version is this? > > RELENG_10. I will have to dig out an old image, but I am pretty sure I > was able to do this on a RELENG_8 box. The interface has an IP > eg > > tun91: flags=3D8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mt= u > 1500 > options=3D80000<LINKSTATE> > inet 10.61.0.1 --> 10.61.0.2 netmask 0xffffffff > Opened by PID 5778 > > Not sure why it chooses such a netmask, but it does that. I tried > manually setting the natting IP, but no difference. > That is normal. Can you please rename the tun interfaces to something lan and wan It means you have to create the tun interfaces with ifconfig before hand and rename them. To openvpn just tell the interface statically in the config using tun100 and tun200. I remember soemthing like this related to group names being matched before interface names and messing up things. But its a wild guess for so little info. Also, i noted that on the rules you posted on the igb/em case your nat rule is with any while on tun interfaces scenario your nat rule has the rdr re-written ip, not that it should matter but just something that came out. What would help is to check that your nat rule is matching. pfctl -vvsr Check the counter for match and state are they increasiong? > > ---Mike > > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG1O=v1CRTBjAK6r9wmqJmfxmKnovLR06_-FQL16nnaAsQ>