From owner-freebsd-questions@FreeBSD.ORG Wed Dec 11 15:05:51 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B4941D4 for ; Wed, 11 Dec 2013 15:05:51 +0000 (UTC) Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EEAB9138B for ; Wed, 11 Dec 2013 15:05:50 +0000 (UTC) Received: by mail-qc0-f170.google.com with SMTP id x13so5262168qcv.15 for ; Wed, 11 Dec 2013 07:05:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dW3L719YO6bq5m7u46Qa/1BhpAjKW8fUMLnNwf8T66I=; b=pDH0jQ5PpZocGr1BZ/wI2rGWAXa3OM04bqPLrJSpoWJgcOxQ0MWMgZQ5gTgqptfs+A DTz6v+3UscSvHqeBalx7DQB9sXSQNwHP2rLMTgmnSwarWYvq8QXUs/JdszJwDy2NKbrz XIKIPtI5kp6eLKt3MwZmYnpsELxcKdL1HKHfdiALdYpE4mIgA+FXPdMscL87qQap3E6J 8FPv8PA42U1EztK9xzBQ4Qc6yuQCo95kp4OTfD8iryQKDSuV7yXx26QuWzRr6CWfAuso KnNwYmc8oP3k1ffn+vRRQWH3SACWgGvagLSv698FJHyuqxJNBx8ln6J1J83TGAUXxWTX abZw== MIME-Version: 1.0 X-Received: by 10.49.18.100 with SMTP id v4mr3410632qed.76.1386774349896; Wed, 11 Dec 2013 07:05:49 -0800 (PST) Received: by 10.224.36.137 with HTTP; Wed, 11 Dec 2013 07:05:49 -0800 (PST) In-Reply-To: <87wqjgfzz1.fsf@anonymous.siccegge.de> References: <87wqjgfzz1.fsf@anonymous.siccegge.de> Date: Wed, 11 Dec 2013 15:05:49 +0000 Message-ID: Subject: Re: pf blocking too much From: krad To: Christoph Egger Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 15:05:51 -0000 you may also want to look at the setting below, if you have traffic coming back on interfaces it wasn't sent out on you could be having some extra fun. set state-policy if-bound Be careful though as you may drop some security by altering its value On 7 December 2013 15:22, Christoph Egger wrote: > Hi! > > I have a (unfortunately) somewhat complex PF setup dropping too much > in the End. Baiscally there are 3 DSL links (tun{0..3}) and the FreeBSD > routes traffic from the internal network through these links doing some > load-balancing. Not very elegant setup, but it works. > > Now I'm trying to set up a 6in4 tunnel (HE.net). Creating the gif > interface, routing usw and starting ping on the local network to some > system outside I can see the outgoing traffic pass gif0, then the > DSL/tun link and on the ping'ed system. However the returning traffic > comes in through the DSL/tun and disappears before reaching the > gif. (All according to tcpdump on the interfaces) > > Can someone help me figure out what goes wrong here? > > Thanks > > Christoph > > ################################################## > ext_if_1=tun0 > ext_if_2=tun1 > ext_if_3=tun2 > int_if=bce0 > > int_net="10.0.0.0/8" > ext_gw_1="192.168.0.1" > ext_gw_2="192.168.0.2" > ext_gw_3="192.168.0.3" > > set limit states 20000 > set ruleset-optimization basic > set timeout src.track 3600 > set block-policy return > > ############################################# > # Activate NAT > > nat on $ext_if_1 from $int_net to any -> $ext_if_1 source-hash > nat on $ext_if_2 from $int_net to any -> $ext_if_2 source-hash > nat on $ext_if_3 from $int_net to any -> $ext_if_3 source-hash > > ######################################################## > # IPv6 Tunnel > # > #pass in quick from 216.66.80.30 > #pass out quick to 216.66.80.30 > #pass quick on gif0 keep state > #pass in quick from 2001:470:1f0a:102b::1 > # > #pass out quick on gif0 > #pass quick on gif0 proto ipv6-icmp all keep state > #pass quick on gif0 inet6 > #pass quick on gif0 inet all > #pass quick on gif0 inet6 proto ipv6-icmp all > #pass out quick on gif0 inet6 all > > ########################################################## > # Handle local stuff > > pass out quick on $int_if to $int_net > pass in quick on $int_if from $int_net to $int_if > > > ####################################################### > # Load balancing to the DSL lanes > > pass in on $int_if route-to { > ($ext_if_1 $ext_gw_1) > ($ext_if_2 $ext_gw_2) > ($ext_if_3 $ext_gw_3) > } round-robin sticky-address > > ######################################################### > # Handle stuff coming in on DSL > > pass in on $ext_if_1 reply-to ($ext_if_1 $ext_gw_1) keep state > pass in on $ext_if_2 reply-to ($ext_if_2 $ext_gw_2) keep state > pass in on $ext_if_3 reply-to ($ext_if_3 $ext_gw_3) keep state > > ##################################### > # Deal with misdirected packages > > pass out on $ext_if_1 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 > pass out on $ext_if_3 route-to ($ext_if_2 $ext_gw_2) from $ext_if_2 > > pass out on $ext_if_1 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 > pass out on $ext_if_2 route-to ($ext_if_3 $ext_gw_3) from $ext_if_3 > > pass out on $ext_if_2 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1 > pass out on $ext_if_3 route-to ($ext_if_1 $ext_gw_1) from $ext_if_1 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >