From owner-freebsd-net@freebsd.org Tue Mar 2 13:36:14 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 673FB569F21 for ; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DqdSZ29YDz3v4G for ; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 4A736569F20; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) Delivered-To: net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4A31E569E97 for ; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DqdSZ1Rg9z3v1j for ; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2455E178DE for ; Tue, 2 Mar 2021 13:36:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 122DaEgl007151 for ; Tue, 2 Mar 2021 13:36:14 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 122DaE9n007150 for net@FreeBSD.org; Tue, 2 Mar 2021 13:36:14 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 248474] if_ipsec: NAT broken on IPsec/VTI Date: Tue, 02 Mar 2021 13:36:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jimp@netgate.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2021 13:36:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248474 --- Comment #39 from jimp@netgate.com --- (In reply to Kevin Ong from comment #33) You're missing a couple sysctl OIDs. For the default enc0 filtering mode, use the following sysctl values: net.inet.ipsec.filtertunnel =3D 0x0000 net.inet6.ipsec6.filtertunnel =3D 0x0000 net.enc.out.ipsec_bpf_mask =3D 0x0001 net.enc.out.ipsec_filter_mask =3D 0x0001 net.enc.in.ipsec_bpf_mask =3D 0x0002 net.enc.in.ipsec_filter_mask =3D 0x0002 For if_ipsec filtering: net.inet.ipsec.filtertunnel =3D 0x0001 net.inet6.ipsec6.filtertunnel =3D 0x0001 net.enc.out.ipsec_bpf_mask =3D 0x0000 net.enc.out.ipsec_filter_mask =3D 0x0000 net.enc.in.ipsec_bpf_mask =3D 0x0000 net.enc.in.ipsec_filter_mask =3D 0x0000 (In reply to jeremy.mordkoff from comment #35) Since the sysctl oids mentioned in this thread control whether you filter o= nly on *either* enc0 or the if_ipsec interfaces and not both at once, depending= on the sysctl values, you need to setup rules on the if_ipsec interfaces to let the VTI traffic pass. At the moment, pfSense software doesn't have a way to= let you do that. There is a patch on https://redmine.pfsense.org/issues/11395 w= hich lets you choose to either filter on enc0 (for tunnel mode + basic VTI traff= ic) or filter on if_ipsec (full VTI filtering capabilities, including NAT, but drops all tunnel mode traffic). The VTI filtering mode exposes firewall rule tabs for assigned VTI interfaces which will allow you to do what you want. For info on how to use that or other issues specific to pfSense software you should post on the Netgate forum for assistance. I'd still prefer there be a way to do both at once, but at least having a choice in the behavior is better than it being completely broken. --=20 You are receiving this mail because: You are the assignee for the bug.=