pf bug with tun interfaces ?

Ermal Luçi eri at freebsd.org
Thu Mar 16 15:17:10 UTC 2017 

On Thu, Mar 16, 2017 at 6:12 AM, Mike Tancsa <mike at sentex.net> wrote:

> On 3/16/2017 2:15 AM, Ermal Luçi wrote:
> >
> >
> > On Wed, Mar 15, 2017 at 7:33 PM, Kristof Provost <kristof at sigsegv.be
> > <mailto:kristof at sigsegv.be>> wrote:
> >
> >     On 15 Mar 2017, at 22:10, Mike Tancsa wrote:
> >
> >         On 3/15/2017 4:28 AM, Kristof Provost wrote:
> >
> >             I don’t see any obvious reason why that would happen.
> >
> >             Can you reduce this to a minimal test setup and include
> >             rc.conf, pf.conf, …
> >             with a bug report in bugzilla?
> >
> >
> >         is it possible that its how OpenVPN sets up the tun interface ?
> >         Otherwise nat via pf on ppp connections would not work either.
> >
> >     I’m not aware of anything, but I’m not very familiar with OpenVPN.
> >
> >
> > The only time this will not work is when tun interface does not have an
> > ip assigned.
> > So your rule will not work with (tun) syntax.
> >
> > Otherwise it does not depend on anything else other than general ifnet
> > What FreeBSD Version is this?
>
> RELENG_10. I will have to dig out an old image, but I am pretty sure I
> was able to do this on a RELENG_8 box.  The interface has an IP
> eg
>
> tun91: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu
> 1500
>         options=80000<LINKSTATE>
>         inet 10.61.0.1 --> 10.61.0.2 netmask 0xffffffff
>         Opened by PID 5778
>
> Not sure why it chooses such a netmask, but it does that.  I tried
> manually setting the natting IP, but no difference.
>

That is normal.
Can you please rename the tun interfaces to something lan and wan
It means you have to create the tun interfaces with ifconfig before hand
and rename them.
To openvpn just tell the interface statically in the config using tun100
and tun200.

I remember soemthing like this related to group names being matched before
interface names
and messing up things.
But its a wild guess for so little info.

Also, i noted that on the rules you posted on the igb/em case your nat rule
is with any
while on tun interfaces scenario your nat rule has the rdr re-written ip,
not that it should matter
but just something that came out.

What would help is to check that your nat rule is matching.
pfctl -vvsr

Check the counter for match and state are they increasiong?


>
>         ---Mike
>
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/
>



-- 
Ermal

More information about the freebsd-net mailing list