Date: Sun, 15 Aug 2010 16:02:01 +0200 From: =?UTF-8?Q?I=C3=B1igo_Ortiz_de_Urbina?= <inigoortizdeurbina@gmail.com> To: Henry Graterol <hgratp@gmail.com>, freebsd-net@freebsd.org Subject: Re: PF+OpenVPN+tap Message-ID: <AANLkTik216kKkHMrPFWSW3gVMWODQAB0v_hGVsdfU0_G@mail.gmail.com> In-Reply-To: <4C65BF26.8080507@gmail.com> References: <4C65BF26.8080507@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Can you post your pf.conf? Did you check which packets are blocked and when? You can use pfctl, pftop, pflog for this :) Spawn some xterms and monitor the network while your clients attach to your vpn, maybe you can spot the problem On 8/13/10, Henry Graterol <hgratp@gmail.com> wrote: > Hello, > > Before I start let me state that I am not an expert on freebsd, I do > enjoy it and consider it a hobby, and love it! > > I have a problem. I use a freebsd server behind a router/gateway to > connect clients with openvpn. I started to notice weird traffic so I > decided to try PF to control traffic. My openvpn setup uses a tap > adapter and a bridge adapter bridging the vpnclient_ips and the server_ip. > > Without PF everything works fine, so no problem there. When I activate > PF I can establish connection to the server_ip from outside thru the vpn > but I can not ping, connect to clients or the internet. After trial and > error the setup that worked for me was to skip filter on bridge0 and > tap0. With this in my configuration vpn worked as before. > > Now the problem, when I reboot the system my vpn allows connections but > repeats the past scenario (no ping, connection to clients, internet, > etc) The fix I have found is to let the system reboot and then issue a > pfctl -f /etc/pf.conf to reload the rules. Then everything works again. > > My guest is that PF is loading before the bridge and tap adapters come > up so that is somehow skipped from loading. My tap connection is set up > to come up from a script when it gets a connection from openvpn. > > Is this a correct guest? What else could be the problem? > > Thank you in advance for your feedback! > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTik216kKkHMrPFWSW3gVMWODQAB0v_hGVsdfU0_G>