From owner-freebsd-questions@FreeBSD.ORG Wed Jan 21 19:18:44 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DDF4035B for ; Wed, 21 Jan 2015 19:18:44 +0000 (UTC) Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E3F7F6D for ; Wed, 21 Jan 2015 19:18:44 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id b13so13125151wgh.9 for ; Wed, 21 Jan 2015 11:18:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=xWLE2OPSixPPZLentpo2/6eC9fpjlC/wiXwixfx1Cdo=; b=xKseFqX/w5mvbTZX6x5px68kx4u/LXHNuMhrc3/BiZJkeoInz524rvPTSEhSw23iz8 +BdG2bGof/nBLrMYfzO42q0TVCwMFWmo1vggSGrkyi1gnq21UB/reXwjrnUMWatGEaMr iV1i3niwdl+5gftsFjyZuXEhMxL3J5qbaYnLnieUS7Pf57myGpb+8N2HVnSJ+ekX9pEY s5lexznYLD75vm6qiR9uAQtS0Sc+blSE0rrjDh+GxEdZuymPr79LrLI7LeatxYzM5jjO 0NSPeoLLCdoWR0WVyJygtpGCrPgBo7WCKBuu3syPr6eir14NljEiuH2bBwIkK5AW97OP vs/g== X-Received: by 10.194.185.243 with SMTP id ff19mr35169531wjc.126.1421867922854; Wed, 21 Jan 2015 11:18:42 -0800 (PST) Received: from [10.99.98.113] (254-239.198-178.cust.bluewin.ch. [178.198.239.254]) by mx.google.com with ESMTPSA id ep9sm71145wid.3.2015.01.21.11.18.41 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jan 2015 11:18:42 -0800 (PST) Message-ID: <54BFFB92.4020708@gmail.com> Date: Wed, 21 Jan 2015 20:18:42 +0100 From: Chris Ernst User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: A way to load PF rules at startup using OpenVPN References: In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2015 19:18:45 -0000 Hi Atma i had similar issues with exactly the same setup. I was able to solve the issues by using *brackets* in pf.conf actually brackets specify dynamic IPs. By using brackets pf knows the IP may change. here is an extract out of my pf.conf user@gateway:~ # more /etc/pf.conf intIf = "vr3" extIf = "vr0" vpnIf = "tun0" [...] [...] ### filter rules block all [...] [...] # allow from vpn to internal pass in on $vpnIf inet proto {tcp,udp} from ($vpnIf:network) to $intNet keep state pass in on $intIf inet proto {tcp,udp} from ($vpnIf:network) to $intNet keep state best regards Chris