Hi Imre, Not sure you've got a reply to this (I was going through unread mail on bugs@), but your "pass all flags" rule is a last match thus neither of the other pass rules are taken into account.
Cheers, Mike On 28 May 2016 at 00:20, <i...@auul.pri.ee> wrote: > Hi! > > I think i stumbed onto a bug related to using in combination rdomain, > specific set on ip aadresses and pf doing nat-to. > > I have OpenBSD v. 5.9 installed from .iso, not patches applied and not > special programs insalled or running > > # uname > OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64 > > In my setup OpenBSD acts as a firwall, it has two network interfaces, one > faceing internet and another internal network. > > vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side > vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side > > in rdomain 0 gateway is 192.168.1.254 > in rdomain 100 no gateway is set > > computer behind OpenBSD in rdomain 100 (and vlan10) has ip address > 192.168.1.146 and gw 192.168.1.254. > > OpenBSD ruleset is essentially > > # pfctl -sr > pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag > FROM_INTRANET rtable 0 > pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to > 192.168.1.146 > pass all flags S/SA > > Now, when sending packets from computer behind this OpenBSD firewall thru it > tcp connections aint established, for some reason OpenBSD rejects incoming > syn-ack packets > > # tcpdump -ni vio0 port 873 > tcpdump: listening on vio0, link-type EN10MB > 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S > 233483646:233483646(0) win 29200 <mss 1460,sackOK,timestamp 7512261 > 0,nop,wscale 6> (DF) > 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S > 344980263:344980263(0) ack 233483647 win 28960 <mss 1460,sackOK,timestamp > 174805425 7512261,nop,wscale 7> (DF) > 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R > 233483647:233483647(0) win 0 (DF) > > If i change computer's address behind OpenBSD different from the vio0 > address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this > is a bug or still i am doing something wrong. > > You may wonder why this kind of ugly setup is useful. It is not designed > from the ground up like this. It is just so to say 'OpenBSD to the rescue' > to get one legacy system connected to the internet more-or-less controlled > way. In that legacy system ip config cant be changed so OpenBSD is placed in > between the legacy system and the rest of the network and it is doing this > strange mapping. > > > Best regards, > > Imre >