From owner-freebsd-questions@FreeBSD.ORG Sat Dec 7 15:19:40 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECA54667 for ; Sat, 7 Dec 2013 15:19:39 +0000 (UTC) Received: from 1und1.siccegge.de (unknown [IPv6:2a01:198:200:500::2]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A885F13AF for ; Sat, 7 Dec 2013 15:19:39 +0000 (UTC) Received: from hepworth.siccegge.de ([2001:4dd0:ff00:8384::4] helo=hepworth) by 1und1.siccegge.de with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1VpJfC-00063j-0X for freebsd-questions@freebsd.org; Sat, 07 Dec 2013 16:19:28 +0100 From: Christoph Egger To: freebsd-questions@freebsd.org Organization: Privat User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) Date: Sat, 07 Dec 2013 16:22:10 +0100 Message-ID: <87wqjgfzz1.fsf@anonymous.siccegge.de> MIME-Version: 1.0 Content-Type: text/plain X-SA-Exim-Connect-IP: 2001:4dd0:ff00:8384::4 X-SA-Exim-Mail-From: christoph@christoph-egger.org X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on 1und1.siccegge.de X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,BAYES_05 autolearn=ham version=3.3.2 Subject: pf blocking too much X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on 1und1.siccegge.de) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Dec 2013 15:19:40 -0000 Hi! I have a (unfortunately) somewhat complex PF setup dropping too much in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD routes traffic from the internal network through these links doing some load-balancing. Not very elegant setup, but it works. Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif interface, routing usw and starting ping on the local network to some system outside I can see the outgoing traffic pass gif0, then the DSL/tun link and on the ping'ed system. However the returning traffic comes in through the DSL/tun and disappears before reaching the gif. (All according to tcpdump on the interfaces) Can someone help me figure out what goes wrong here? Thanks Christoph ################################################## ext_if_1=tun0 ext_if_2=tun1 ext_if_3=tun2 int_if=bce0 int_net="10.0.0.0/8" ext_gw_1="192.168.0.1" ext_gw_2="192.168.0.2" ext_gw_3="192.168.0.3" set limit states 20000 set ruleset-optimization basic set timeout src.track 3600 set block-policy return ############################################# # Activate NAT nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash ######################################################## # IPv6 Tunnel # #pass in quick from 216.66.80.30 #pass out quick to 216.66.80.30 #pass quick on gif0 keep state #pass in quick from 2001:470:1f0a:102b::1 # #pass out quick on gif0 #pass quick on gif0 proto ipv6-icmp all keep state #pass quick on gif0 inet6 #pass quick on gif0 inet all #pass quick on gif0 inet6 proto ipv6-icmp all #pass out quick on gif0 inet6 all ########################################################## # Handle local stuff pass out quick on $int_if to $int_net pass in quick on $int_if from $int_net to $int_if ####################################################### # Load balancing to the DSL lanes pass in on $int_if route-to { ($ext_if_1 $ext_gw_1) ($ext_if_2 $ext_gw_2) ($ext_if_3 $ext_gw_3) } round-robin sticky-address ######################################################### # Handle stuff coming in on DSL pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state ##################################### # Deal with misdirected packages pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1 pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1