Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Dec 2013 15:05:49 +0000
From:      krad <kraduk@gmail.com>
To:        Christoph Egger <christoph@sieglitzhof.net>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: pf blocking too much
Message-ID:  <CALfReydohe9Zikrd1PyUdkykqoVhJHjk62kmR3NLT_KnOUm%2Bag@mail.gmail.com>
In-Reply-To: <87wqjgfzz1.fsf@anonymous.siccegge.de>
References:  <87wqjgfzz1.fsf@anonymous.siccegge.de>

next in thread | previous in thread | raw e-mail | index | archive | help
you may also want to look at the setting below, if you have traffic coming
back on interfaces it wasn't sent out on you could be having some extra fun.

set state-policy if-bound

Be careful though as you may drop some security by altering its value


On 7 December 2013 15:22, Christoph Egger <christoph@sieglitzhof.net> wrote:

> Hi!
>
>   I have a (unfortunately) somewhat complex PF setup dropping too much
> in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD
> routes traffic from the internal network through these links doing some
> load-balancing. Not very elegant setup, but it works.
>
>   Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif
> interface, routing usw and starting ping on the local network to some
> system outside I can see the outgoing traffic pass gif0, then the
> DSL/tun link and on the ping'ed system. However the returning traffic
> comes in through the DSL/tun and disappears before reaching the
> gif. (All according to tcpdump on the interfaces)
>
>   Can someone help me figure out what goes wrong here?
>
> Thanks
>
>   Christoph
>
> ##################################################
> ext_if_1=tun0
> ext_if_2=tun1
> ext_if_3=tun2
> int_if=bce0
>
> int_net="10.0.0.0/8"
> ext_gw_1="192.168.0.1"
> ext_gw_2="192.168.0.2"
> ext_gw_3="192.168.0.3"
>
> set limit states 20000
> set ruleset-optimization basic
> set timeout src.track 3600
> set block-policy return
>
> #############################################
> # Activate NAT
>
> nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash
> nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash
> nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash
>
> ########################################################
> # IPv6 Tunnel
> #
> #pass in quick from 216.66.80.30
> #pass out quick to 216.66.80.30
> #pass quick on gif0 keep state
> #pass in quick from 2001:470:1f0a:102b::1
> #
> #pass out quick on gif0
> #pass quick on gif0 proto ipv6-icmp all keep state
> #pass quick on gif0 inet6
> #pass quick on gif0 inet all
> #pass quick on gif0 inet6 proto ipv6-icmp all
> #pass out quick on gif0 inet6 all
>
> ##########################################################
> # Handle local stuff
>
> pass out quick on $int_if to   $int_net
> pass in  quick on $int_if from $int_net to $int_if
>
>
> #######################################################
> # Load balancing to the DSL lanes
>
> pass in on $int_if route-to {
>         ($ext_if_1 $ext_gw_1)
>         ($ext_if_2 $ext_gw_2)
>         ($ext_if_3 $ext_gw_3)
> } round-robin sticky-address
>
> #########################################################
> # Handle stuff coming in on DSL
>
> pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state
> pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state
> pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state
>
> #####################################
> # Deal with misdirected packages
>
> pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
> pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2
>
> pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
> pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3
>
> pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
> pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReydohe9Zikrd1PyUdkykqoVhJHjk62kmR3NLT_KnOUm%2Bag>