From owner-freebsd-questions@FreeBSD.ORG Fri Sep 16 13:51:16 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7370106564A for ; Fri, 16 Sep 2011 13:51:16 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id B58028FC0A for ; Fri, 16 Sep 2011 13:51:16 +0000 (UTC) Received: by pzk33 with SMTP id 33so2460194pzk.4 for ; Fri, 16 Sep 2011 06:51:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=IoF9n+yBXFY3CorFHu5NE41r281dFhRIbpo6de/Bx1A=; b=rokL+pvNwXZE7umU9/g65DbsTmM/2n9QGBN9ZCLxV4ORN+TZ6DmkSmJxzR1nmcUeKO hqWB1mDYfTlbiF96aeHCQvRr+GEkAIxJxihqHWr1fVFj3GVGcDkwmLBVAUV0meA9l2oW 6h7JElRshaBm2Fiy5kTycRTizTfl7/fQMQ7Mg= MIME-Version: 1.0 Received: by 10.68.43.195 with SMTP id y3mr1331953pbl.193.1316179688687; Fri, 16 Sep 2011 06:28:08 -0700 (PDT) Received: by 10.68.52.230 with HTTP; Fri, 16 Sep 2011 06:28:08 -0700 (PDT) Date: Fri, 16 Sep 2011 09:28:08 -0400 Message-ID: From: Kevin Wilcox To: Free BSD Questions list Content-Type: text/plain; charset=UTF-8 Subject: PF and dup-to? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2011 13:51:17 -0000 Hi folks, I have the following pf.conf on FreeBSD 8.1-RELEASE *and* 8.2-RELEASE =============================== set block-policy return set skip on lo int_if=bge1 ext_if=bge0 dup_if=dc0 # NAT rule nat on $ext_if from $int_if:network to any -> ($ext_if) sticky-address # # Windows RDP redirection... # # we have to stick a pass rule inside the rdr rule. # I think it's nasty but it works. # rdr pass on $ext_if proto tcp from any to $ext_if port rdp -> 10.201.201.101 # same for the Apache test instance rdr pass on $ext_if proto tcp from any to $ext_if port http -> 10.201.201.102 # And to proxy web traffic from the inside # disabled temporarily # rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 # block everything block in all block out all pass out quick on dc0 # allow everything from the NAT and any outbound connections from the FW pass in on $int_if from any to any keep state pass out on $ext_if from any to any keep state # # SSH # # allow inbound on the external interface pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state # # Windows Remote Desktop # pass out on $int_if proto tcp from any to 10.201.201.101 port rdp keep state # # Apache test instance # pass out on $int_if proto tcp from any to 10.201.201.102 port http keep state # # temp to allow any connections from the FW to come to the internal net; # note this is inclusive of the above two pass out rules pass out on $int_if from ($int_if) to 10.201.201.0/24 =============================== When I change pass in on $int_if from any to any keep state to pass in on $int_if dup-to $dup_if from any to any keep state or pass in on $int_if dup-to ($dup_if 192.168.1.2) all all traffic to the outside stops passing. In addition, I get a TON of kernel messages: arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llianrfpor efsoorl v1e0:. 2c0a1n.'2t0 1a.l1l o cate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 10.201.201.1 arpresolve: can't allocate llinfo for 152.10.2.222 My understanding of dup-to is that it should allow the interface to basically act as a span port - the original traffic gets passed via normal routing rules and a copy of each packet gets sent out $dup_if and should be visible via tcpdump on the other end but a tcpdump of dc0 doesn't see the traffic ever leaving the interface. Apparently I have a fundamental misunderstanding somewhere along the way or I've been looking at this for far too long over the last few days and I'm missing something extremely basic. I'll test with another laptop with a different configuration and reply back with any success I find. Thanks! kmw