Re: Problems betwwen pf in FreeBSD 13 and WireGuard

Reply: Carlos_López_Martínez : "Re: Problems betwwen pf in FreeBSD 13 and WireGuard"
In reply to: Carlos_López_Martínez : "Problems betwwen pf in FreeBSD 13 and WireGuard"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: mike tancsa <mike_at_sentex.net>
Date: Tue, 23 Aug 2022 09:44:56 UTC

On 8/23/2022 2:16 AM, Carlos López Martínez wrote:
> set skip on { lo wg0 }

I would avoid the skip part as it often leads to unexpected troubles. 
Instead, add rules to allow traffic on those interfaces as you would 
expect.  If I would have to guess, there is no state rule on traffic 
egressing the wg0 interface to your internal network and hence gets dropped.

> # Allow ICMP requests to check default route
> pass out on egress inet proto icmp from (self) icmp-type echoreq label 
> "Allow ICMP requests for public interface"
>
Dont think its releated, but "self" is often not dynamically updated as 
interfaces come and go and IP addresses added / deleted I find.  If you 
can, hook in up/down events on wg0 to reload the pf rules. Or for now, 
after your wg interface is up, pfctl -f /etc/pf.conf to reload the 
ruleset so that the self table is updated.   Also, where do you add the 
IPs to your tables ? Instead of tables, try and use macros while you are 
debugging the rulesets. I also find helpful when debugging is to use

  pfctl -sr

and

  pfctl -sr -v (to show rule numbers that match /var/log/pflog)

that way you see how the macros are expanding as it sometimes doesnt 
parse the way you expect.

     ---Mike