Date: Sat, 07 Dec 2013 16:22:10 +0100 From: Christoph Egger <christoph@sieglitzhof.net> To: freebsd-questions@freebsd.org Subject: pf blocking too much Message-ID: <87wqjgfzz1.fsf@anonymous.siccegge.de>
next in thread | raw e-mail | index | archive | help
Hi!
I have a (unfortunately) somewhat complex PF setup dropping too much
in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD
routes traffic from the internal network through these links doing some
load-balancing. Not very elegant setup, but it works.
Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif
interface, routing usw and starting ping on the local network to some
system outside I can see the outgoing traffic pass gif0, then the
DSL/tun link and on the ping'ed system. However the returning traffic
comes in through the DSL/tun and disappears before reaching the
gif. (All according to tcpdump on the interfaces)
Can someone help me figure out what goes wrong here?
Thanks
Christoph
##################################################
ext_if_1=tun0
ext_if_2=tun1
ext_if_3=tun2
int_if=bce0
int_net="10.0.0.0/8"
ext_gw_1="192.168.0.1"
ext_gw_2="192.168.0.2"
ext_gw_3="192.168.0.3"
set limit states 20000
set ruleset-optimization basic
set timeout src.track 3600
set block-policy return
#############################################
# Activate NAT
nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash
nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash
nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash
########################################################
# IPv6 Tunnel
#
#pass in quick from 216.66.80.30
#pass out quick to 216.66.80.30
#pass quick on gif0 keep state
#pass in quick from 2001:470:1f0a:102b::1
#
#pass out quick on gif0
#pass quick on gif0 proto ipv6-icmp all keep state
#pass quick on gif0 inet6
#pass quick on gif0 inet all
#pass quick on gif0 inet6 proto ipv6-icmp all
#pass out quick on gif0 inet6 all
##########################################################
# Handle local stuff
pass out quick on $int_if to $int_net
pass in quick on $int_if from $int_net to $int_if
#######################################################
# Load balancing to the DSL lanes
pass in on $int_if route-to {
($ext_if_1 $ext_gw_1)
($ext_if_2 $ext_gw_2)
($ext_if_3 $ext_gw_3)
} round-robin sticky-address
#########################################################
# Handle stuff coming in on DSL
pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state
pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state
pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state
#####################################
# Deal with misdirected packages
pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87wqjgfzz1.fsf>