[Bug 252990] net/wireguard: WG don't use CARP IP as source

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jan 25 10:29:40 UTC 2021 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252990

            Bug ID: 252990
           Summary: net/wireguard: WG don't use CARP IP as source
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: decke at FreeBSD.org
          Reporter: m.muenz at gmail.com
          Assignee: decke at FreeBSD.org
             Flags: maintainer-feedback?(decke at FreeBSD.org)

Hi,

I asked Jason regarding CARP HA with FreeBSD twice since when using CARP IP as
the destination, the reply packet will be sent as the system IP and therefore
doesn't match.

https://lists.zx2c4.com/pipermail/wireguard/2020-September/005840.html

Now I thought I can maybe do some tricks via pf and NAT.

My first test was outbound NAT with source as CARP and source port wireguard:

nat on igb0 inet proto udp from (self) port 51820 to any -> 82.34.74.60
static-port # Outbound NAT fuer WireGuard HA

But for reply packets, so when other side connects first, this doesn't match:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:24:19.887082 IP 80.151.56.127.19335 > 82.34.74.60.51820: UDP, length 148
11:24:19.887422 IP 82.34.74.61.51820 > 80.151.56.127.19335: UDP, length 92
11:24:25.037698 IP 80.151.56.127.19335 > 82.34.74.60.51820: UDP, length 148
11:24:25.038026 IP 82.34.74.61.51820 > 80.151.56.127.19335: UDP, length 92

82.34.74.60 = CARP IP
82.34.74.61 = IP of Firewall1

Then I tried a portforward when connecting to CARP IP redirecting to localhost,
but it has the same result and I don't see the packets on interface lo0:

rdr log on igb0 inet proto udp from {any} to {82.34.74.60} port {51820} ->
127.0.0.1 port 51820 # Portforward auf localhost fuer WireGuard HA

I would guess it's blocked when I don't see the packet on lo0, but I still see
the reply in the tcpdump going out.

Also, I flip between LTE and Wifi so it's nothing like pf state.

Any idea how to dig deeper into it? Maybe is there an option for outgoing NAT
to be state-less like with usual pf rules?

I add kprovost@ like discussed via Twitter.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list