Date: Thu, 04 Sep 2008 19:29:57 +0200 From: =?iso-8859-2?Q?=22Kiss_Zolt=E1n=22?= <schaman@sch.bme.hu> To: freebsd-pf@freebsd.org Subject: pf fails to create state entries to OpenVPN-initiated sessions Message-ID: <770fd2282951.48c03735@sch.bme.hu>
next in thread | raw e-mail | index | archive | help
Hi=2C My company has a strange problem with OpenVPN under FreeBSD 7=2E0=2E The= configuration is the following=3A Our central NAT firewall/VPN endpoint has two physical interfaces=2C one= for the public Internet (called ext)=2C and one for our intranet (int=2C= 192=2E168=2E1=2E0/24)=2E On ext there are IPSec tunnels to remote offic= es through gif interfaces=2C and int is bridged to tap0=2C which is used= by OpenVPN=2E Users can seamlessly login=2C and access the central subn= et=2C but there are strange effects when someone wants to access branch = office networks=2E Note=2C that pf has =93set skip=94 options on all gif= interface=2C on the bridge0 if and on tap0=2C to avoid on this side=2E = So as I mentioned=2C OpenVPN users can access the 192=2E168=2E1=2E0/24 n= etwork=2C but when they send a packet to a remote subnet (e=2Eg=2E 192=2E= 168=2E2=2E0/24)=2C sometimes the firewall isn=92t create a state entry=2C= and so TCP sessions cannot be established=2E See this example=3A 2008-09-03 19=3A03=3A35=2E919390 rule 41/0(match)=3A pass out on int=3A = 192=2E168=2E1=2E100=2E55754 =3E 192=2E168=2E1=2E1=2E53=3A 61937+=5B=7Cdo= main=5D 2008-09-03 19=3A03=3A36=2E147102 rule 0/0(match)=3A block out on int=3A = 192=2E168=2E2=2E1=2E3389 =3E 192=2E168=2E1=2E100=2E38289=3A S 1952258627= =3A1952258627(0) ack 479606554 win 16384 =3Cmss 1460=2Cnop=2Cwscale 0=2C= nop=2Cnop=2Ctimestamp=5B=7Ctcp=5D=3E 2008-09-03 19=3A03=3A38=2E682145 rule 0/0(match)=3A block out on int=3A = 192=2E168=2E2=2E1=2E3389 =3E 192=2E168=2E1=2E100=2E38289=3A S 1952258627= =3A1952258627(0) ack 479606554 win 16384 =3Cmss 1460=2Cnop=2Cwscale 0=2C= nop=2Cnop=2Ctimestamp=5B=7Ctcp=5D=3E =2E1=2E100 is an OpenVPN client=2C as you see it passes pf to central su= bnet=2E But on next two row=2C where =2E2=2E1 is a terminal server=2C yo= u can see only answer packets to TCP session initiation=2C which are blo= cked in the lack of state entry=2E But what=92s more strange=2C when I w= ant to start an RDP session again to the same server 2 minutes later=2C = it works properly! =3A 2008-09-03 19=3A05=3A28=2E237872 rule 7/0(match)=3A pass in on int=3A 19= 2=2E168=2E1=2E100=2E38293 =3E 192=2E168=2E2=2E1=2E3389=3A S 2231405925=3A= 2231405925(0) win 5840 =3Cmss 1336=2CsackOK=2Ctimestamp 236974897=5B=7Ct= cp=5D=3E And I didn=92t make any change on the firewall in this 2 minute! And thi= s happens quite randomly=2C so I=92m quite confused why it happens=2E Th= e related firewall rules=3A =407 pass in log on int inet from 192=2E168=2E1=2E0/24 to any flags S/SA= keep state =4041 pass out log on inet inet from 192=2E168=2E1=2E0/24 to any flags S= /SA keep state =4042 pass in log on int inet from any to 192=2E168=2E16=2E0/24 flags S/= SA keep state I tried to let it as permissive as possible=2E There isn=92t any dynamic= routing on this intranet=2C and inside the physical networks of our off= ices anybody can access anybody without any problem=2E My expectation=2C= that if a packet comes from VPN client=2C it goes through tap0=2C bridg= e0=2C where it=92s not filtered=2C pass in on int=2C and create a state = entry=2C but somehow it doesn=92t happens always=2E Do you have any idea= how can I investigate this problem=3F Any suggestions are welcomed=2E Regards=2C Zolt=E1n=2C Kiss
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?770fd2282951.48c03735>