pf blocking too much

Christoph Egger christoph at sieglitzhof.net
Sat Dec 7 15:19:40 UTC 2013 

Hi!

  I have a (unfortunately) somewhat complex PF setup dropping too much
in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD
routes traffic from the internal network through these links doing some
load-balancing. Not very elegant setup, but it works.

  Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif
interface, routing usw and starting ping on the local network to some
system outside I can see the outgoing traffic pass gif0, then the
DSL/tun link and on the ping'ed system. However the returning traffic
comes in through the DSL/tun and disappears before reaching the
gif. (All according to tcpdump on the interfaces)

  Can someone help me figure out what goes wrong here?

Thanks

  Christoph

##################################################
ext_if_1=tun0
ext_if_2=tun1
ext_if_3=tun2
int_if=bce0

int_net="10.0.0.0/8"
ext_gw_1="192.168.0.1"
ext_gw_2="192.168.0.2"
ext_gw_3="192.168.0.3"

set limit states 20000
set ruleset-optimization basic
set timeout src.track 3600
set block-policy return

#############################################
# Activate NAT

nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash
nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash
nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash

########################################################
# IPv6 Tunnel
#
#pass in quick from 216.66.80.30
#pass out quick to 216.66.80.30
#pass quick on gif0 keep state
#pass in quick from 2001:470:1f0a:102b::1 
#
#pass out quick on gif0
#pass quick on gif0 proto ipv6-icmp all keep state
#pass quick on gif0 inet6
#pass quick on gif0 inet all
#pass quick on gif0 inet6 proto ipv6-icmp all
#pass out quick on gif0 inet6 all

##########################################################
# Handle local stuff

pass out quick on $int_if to   $int_net
pass in  quick on $int_if from $int_net to $int_if


#######################################################
# Load balancing to the DSL lanes

pass in on $int_if route-to {
	($ext_if_1 $ext_gw_1)
	($ext_if_2 $ext_gw_2)
	($ext_if_3 $ext_gw_3)
} round-robin sticky-address

#########################################################
# Handle stuff coming in on DSL

pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state
pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state
pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state

#####################################
# Deal with misdirected packages

pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2

pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3

pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1

More information about the freebsd-questions mailing list