From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 16:08:21 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77A83106566B for ; Sat, 10 Sep 2011 16:08:21 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id F006E8FC13 for ; Sat, 10 Sep 2011 16:08:19 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p8AG8Bso019271 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 10 Sep 2011 18:08:11 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p8AG8Ajl031984; Sat, 10 Sep 2011 18:08:10 +0200 (MEST) Date: Sat, 10 Sep 2011 18:08:10 +0200 From: Daniel Hartmeier To: Mario Lobo Message-ID: <20110910160810.GB29437@insomnia.benzedrine.cx> References: <201109101042.53575.lobo@bsd.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201109101042.53575.lobo@bsd.com.br> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2011 16:08:21 -0000 On Sat, Sep 10, 2011 at 10:42:53AM -0300, Mario Lobo wrote: > Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 > Sep 10 10:27:49 lobos last message repeated 83 times > Sep 10 10:28:59 lobos last message repeated 283 times This looks as if you're not allowing the packet out after NAT, so each subsequent packet also causes a pf_map_addr() call, instead of creating a state entry. Make sure you have a rule like pass out on $ext_if from ($ext_if) ... Do you see any state entry related to your VPN connection? Run pfctl -vvss after the connection attempt. It helps debugging if you add block log as the very first rule, then make sure all other block rules (if any) also have 'log'. Then reproduce the problem while running tcpdump -s 1600 -nvvveeetttpi pflog0 Now you'll see any packet being dropped by pf. Do you see any? Daniel