On Fri, Aug 30, 2019 at 11:32:02AM +1000, Felix Hanley wrote:
> Hello all,
>
> My home internet connection (Internode Australia) has recently been
> "upgraded" and is now delivered via vlan ID 2. Previously had the
> following configuration which worked without issue:
>
> # cat /etc/hostname.em0
> up
>
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev em0 authproto pap \
> authname 'x...@internode.on.net' \
> authkey 'XXXX' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
>
> After working out the vlan stuff I now have the following:
>
> # cat /etc/hostname.em0
> up
>
> # cat /etc/hostname.vlan2
> vnetid 2 parent em0 txprio 1
> up
>
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> llprio 1 mtu 1440 \
> pppoedev vlan2 authproto pap \
> authname 'x...@internode.on.net' \
> authkey 'XXXX' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
>
> I am able to access the internet fine. My problem is incoming
> connections are unable to access the OBSD router but are able to be
> redirected to internal hosts just fine. There was no problems with this
> prior to the vlan stuff. My stripped down pf.conf is:
>
> # cat /etc/pf.conf
> egress = "pppoe0"
> zappa = "10.0.1.2"
>
> set skip on lo
> set skip on vlan2
> set block-policy drop
> set loginterface $egress
>
> queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default
>
> match in inet all scrub (no-df random-id)
> match on $egress inet scrub (max-mss 1440)
> # NAT all outbound IPv4 traffic from the rest of our network
> match out on $egress inet from !($egress:network) to any nat-to ($egress:0)
>
> antispoof quick for lo
>
> pass in on $egress proto { tcp udp } from any to ($egress) port { ssh
> http https }
> pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to
> $zappa port ssh
>
> Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other
> TCP) packets coming in on egress. I am confused that rdr-to works but
> not connections to the router do not.
>
> Any help would be greatly appreciated.
>
> -felix
So it turns out that my configuration was fine.
Internode reinstated their default firewall when they set up my new
service. This was blocking incoming ports 80, 443 etc.
Thanks for your time.
-felix
