Tried to tag pkts on $int_if ? Eg match in on $if_int from ($if_int:network) to $pbx_net tag PBX
//mxb On 11 jun 2013, at 14:38, Rogier Krieger <[email protected]> wrote: > A kind soul (thank you) suggested I add the following to my ruleset: > pass quick on enc0 proto ipencap > > Unfortunately, that does still not allow the inner outbound traffic to pass. > > > From what I can tell, the original ruleset already let ipencap traffic pass > on enc0. I verified with tcpdump and by separately logging the pass rules. > Had ipencap been the problem, tcpdump on pflog1 would show a match on rule > #11 (instead of the 'tagged PBX' rule #12). > > Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming > traffic from the other side is matched to the 'tagged PBX' rule (#12). I've > made sure the tagging in #14 does not occur for traffic to the PBX (I added > its net to the <internal> table. > > I expected ipsec to automagically add the 'PBX' tag to traffic it gets > handed (in this case, from $if_int) when that traffic fits its SAs. I > further expected pf to need no more than a simple 'pass on enc0 tagged PBX' > after that. If I was too optimistic or misunderstood ipsec.conf(5), a > cluebat is more than welcome. If this is something that should work, I'll > try with -current as well. > > Regards, > > Rogier > > > # tcpdump -ni pflog0 -s1600 -eee -ttt -v > Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0: > 192.168.10.101.63617 > 172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id > 40730, len 621, bad cksum 5a08!) > Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0: > 192.168.10.102 > 172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl > 127, id 23969, len 60, bad cksum 5dc2!) > > > # tcpdump -ni pflog1 -s1600 -eee -ttt > Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request (encap) > Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request > Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request (encap) > Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request > Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request (encap) > Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 > > 192.168.10.102: icmp: echo request > > > # pfctl -sr -vv | grep -e '^@' > @0 block return log all > @1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin > @2 pass out on egress from (egress:3) to any flags S/SA > @3 pass out on egress proto udp from (egress:3) to any port = 3740 > @4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA > @5 pass on egress proto udp from any to any port = 500 > @6 pass on egress proto udp from any to any port = 4500 > @7 pass on egress proto ipv6 all > @8 pass on egress inet proto icmp all > @9 pass on egress inet6 proto ipv6-icmp all > @10 pass on egress proto esp all > @11 pass log (all, to pflog1) on enc0 proto ipencap all > @12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound) > tagged PBX > @13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9) > port = 22 flags S/SA > @14 match in on vlan801 from (vlan801:network:5) to ! <internal:7> tag OUT > @15 pass on vlan801 all flags S/SA
