From owner-freebsd-questions@FreeBSD.ORG  Sat Dec  7 15:19:40 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id ECA54667
 for <freebsd-questions@freebsd.org>; Sat,  7 Dec 2013 15:19:39 +0000 (UTC)
Received: from 1und1.siccegge.de (unknown [IPv6:2a01:198:200:500::2])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id A885F13AF
 for <freebsd-questions@freebsd.org>; Sat,  7 Dec 2013 15:19:39 +0000 (UTC)
Received: from hepworth.siccegge.de ([2001:4dd0:ff00:8384::4] helo=hepworth)
 by 1und1.siccegge.de with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <christoph@christoph-egger.org>)
 id 1VpJfC-00063j-0X
 for freebsd-questions@freebsd.org; Sat, 07 Dec 2013 16:19:28 +0100
From: Christoph Egger <christoph@sieglitzhof.net>
To: freebsd-questions@freebsd.org
Organization: Privat
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
Date: Sat, 07 Dec 2013 16:22:10 +0100
Message-ID: <87wqjgfzz1.fsf@anonymous.siccegge.de>
MIME-Version: 1.0
Content-Type: text/plain
X-SA-Exim-Connect-IP: 2001:4dd0:ff00:8384::4
X-SA-Exim-Mail-From: christoph@christoph-egger.org
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on 1und1.siccegge.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,BAYES_05
 autolearn=ham version=3.3.2
Subject: pf blocking too much
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on 1und1.siccegge.de)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 15:19:40 -0000

Hi!

  I have a (unfortunately) somewhat complex PF setup dropping too much
in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD
routes traffic from the internal network through these links doing some
load-balancing. Not very elegant setup, but it works.

  Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif
interface, routing usw and starting ping on the local network to some
system outside I can see the outgoing traffic pass gif0, then the
DSL/tun link and on the ping'ed system. However the returning traffic
comes in through the DSL/tun and disappears before reaching the
gif. (All according to tcpdump on the interfaces)

  Can someone help me figure out what goes wrong here?

Thanks

  Christoph

##################################################
ext_if_1=tun0
ext_if_2=tun1
ext_if_3=tun2
int_if=bce0

int_net="10.0.0.0/8"
ext_gw_1="192.168.0.1"
ext_gw_2="192.168.0.2"
ext_gw_3="192.168.0.3"

set limit states 20000
set ruleset-optimization basic
set timeout src.track 3600
set block-policy return

#############################################
# Activate NAT

nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash
nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash
nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash

########################################################
# IPv6 Tunnel
#
#pass in quick from 216.66.80.30
#pass out quick to 216.66.80.30
#pass quick on gif0 keep state
#pass in quick from 2001:470:1f0a:102b::1 
#
#pass out quick on gif0
#pass quick on gif0 proto ipv6-icmp all keep state
#pass quick on gif0 inet6
#pass quick on gif0 inet all
#pass quick on gif0 inet6 proto ipv6-icmp all
#pass out quick on gif0 inet6 all

##########################################################
# Handle local stuff

pass out quick on $int_if to   $int_net
pass in  quick on $int_if from $int_net to $int_if


#######################################################
# Load balancing to the DSL lanes

pass in on $int_if route-to {
	($ext_if_1 $ext_gw_1)
	($ext_if_2 $ext_gw_2)
	($ext_if_3 $ext_gw_3)
} round-robin sticky-address

#########################################################
# Handle stuff coming in on DSL

pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state
pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state
pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state

#####################################
# Deal with misdirected packages

pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2

pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3

pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1