From owner-freebsd-pf@FreeBSD.ORG  Mon Jul 27 11:07:00 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C628106566C
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Jul 2009 11:07:00 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id F37568FC17
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Jul 2009 11:06:59 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6RB6xVc019050
	for <freebsd-pf@FreeBSD.org>; Mon, 27 Jul 2009 11:06:59 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6RB6x7e019046
	for freebsd-pf@FreeBSD.org; Mon, 27 Jul 2009 11:06:59 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 27 Jul 2009 11:06:59 GMT
Message-Id: <200907271106.n6RB6x7e019046@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: gnats set sender to
	owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 11:07:00 -0000

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/136781  pf         [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948  pf         [pf] [gre] pf not natting gre protocol
o kern/135162  pf         [pfsync] pfsync(4) not usable with GENERIC kernel
o kern/134996  pf         [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732  pf         [pf] max-src-conn issue
o kern/132769  pf         [pf] [lor] 2 LOR's with pf task mtx / ifnet and  rtent
f kern/132176  pf         [pf] pf stalls connection when using route-to [regress
o conf/130381  pf         [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861  pf         [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/127920  pf         [pf] ipv6 and synproxy don't play well together
o conf/127814  pf         [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127439  pf         [pf] deadlock in pf
f kern/127345  pf         [pf] Problem with PF on FreeBSD7.0 [regression]
o kern/127121  pf         [pf] [patch] pf incorrect log priority
o kern/127042  pf         [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf         [pf] pf keep state bug while handling sessions between
s kern/124933  pf         [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364  pf         [pf] [panic] Kernel panic with pf + bridge
o kern/122773  pf         [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf         [pf] [panic] FreeBSD 6.2 panic in pf
o kern/121704  pf         [pf] PF mangles loopback packets
o kern/120281  pf         [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf         [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf         [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf         [pf] [lor] pf_ioctl.c + if.c
o kern/114095  pf         [carp] carp+pf delay with high state limit
o kern/111220  pf         [pf] repeatable hangs while manipulating pf tables
s conf/110838  pf         [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283  pf         pfsync fails to sucessfully transfer some sessions
o kern/103281  pf         pfsync reports bulk update failures
o kern/93825   pf         [pf] pf reply-to doesn't work
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o bin/86635    pf         [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf         [pf] cbq scheduler cause bad latency

35 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 28 21:18:41 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 076231065698
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:18:41 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from smtp147.dfw.emailsrvr.com (smtp147.dfw.emailsrvr.com
	[67.192.241.147])
	by mx1.freebsd.org (Postfix) with ESMTP id DC3E28FC0C
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:18:40 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from relay4.relay.dfw.mlsrvr.com (localhost [127.0.0.1])
	by relay4.relay.dfw.mlsrvr.com (SMTP Server) with ESMTP id 2B10C10CC32E
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 16:59:02 -0400 (EDT)
Received: by relay4.relay.dfw.mlsrvr.com (Authenticated sender:
	elliott-AT-mywedding.com) with ESMTPSA id F349610CC430
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 16:59:01 -0400 (EDT)
Message-Id: <F8BCDF7F-400D-4134-BC62-A7BE16F40C00@mywedding.com>
From: Elliott Barrere <elliott@mywedding.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 28 Jul 2009 13:56:30 -0700
X-Mailer: Apple Mail (2.935.3)
Subject: CARP and NAT
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 21:18:41 -0000

Hi everyone, please excuse my noobiness.

I have a basic firewall setup with CARP running on the LAN and WAN  
interfaces.  CARP and pfsync seem to be functioning properly.  The  
problem is I can't seem to figure out how to make pf NAT from the  
internal network to the carp1 interface IP on the outside (packets  
always end up coming from the IP of the physical interface in question).

I thought I could do something like:

nat on $carp_if from $lan_net to any -> ($carp_if)

but that doesn't work.  Can anyone provide me examples of a setup  
using CARP and NAT?  I feel like this should be pretty common...


Thanks!

:: elliott barrere :: 206.855.7011 ::




From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 28 21:31:55 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BD646106564A
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:31:55 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from smtp167.sat.emailsrvr.com (smtp167.sat.emailsrvr.com
	[66.216.121.167])
	by mx1.freebsd.org (Postfix) with ESMTP id 9BA938FC08
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 21:31:55 +0000 (UTC)
	(envelope-from elliott@mywedding.com)
Received: from relay26.relay.sat.mlsrvr.com (localhost [127.0.0.1])
	by relay26.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id D45F21B4007
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 17:31:54 -0400 (EDT)
Received: by relay26.relay.sat.mlsrvr.com (Authenticated sender:
	elliott-AT-mywedding.com) with ESMTPSA id A7A821B4004
	for <freebsd-pf@freebsd.org>; Tue, 28 Jul 2009 17:31:54 -0400 (EDT)
Message-Id: <2B0E2B36-CB22-4C8B-B9FF-64D958B20FDA@mywedding.com>
From: Elliott Barrere <elliott@mywedding.com>
To: freebsd-pf@freebsd.org
In-Reply-To: <F8BCDF7F-400D-4134-BC62-A7BE16F40C00@mywedding.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 28 Jul 2009 14:31:53 -0700
References: <F8BCDF7F-400D-4134-BC62-A7BE16F40C00@mywedding.com>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: CARP and NAT
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 21:31:56 -0000

Nevermind, I sorted out my issue.  The carp1 interface had multiple  
IPs assigned and PF was pulling the last one.  Adding a carp_ip  
variable and changing the NAT statement makes it work:

nat on $cable_if from $lan_net to any -> $carp_ip

This does make me wonder though more generally about when to use the  
carp interface versus the physical interface in PF.  Does anyone know  
of a guide or a good rule of thumb?

Thanks!

:: elliott barrere :: 206.855.7011 ::



On Jul 28, 2009, at 1:56 PM, Elliott Barrere wrote:

> Hi everyone, please excuse my noobiness.
>
> I have a basic firewall setup with CARP running on the LAN and WAN  
> interfaces.  CARP and pfsync seem to be functioning properly.  The  
> problem is I can't seem to figure out how to make pf NAT from the  
> internal network to the carp1 interface IP on the outside (packets  
> always end up coming from the IP of the physical interface in  
> question).
>
> I thought I could do something like:
>
> nat on $carp_if from $lan_net to any -> ($carp_if)
>
> but that doesn't work.  Can anyone provide me examples of a setup  
> using CARP and NAT?  I feel like this should be pretty common...
>
>
> Thanks!
>
> :: elliott barrere :: 206.855.7011 ::
>
>
>