Hi list
I am using a PC Engines apu2 board as a firewall. Or
rather, I want to use it as one, but it doesn't work
as I think it should.
First up, some information about my system. It has
three gigabit wired Ethernet interfaces, em0, em1, and
em2, as well as an 802.11n interface, athn0. Only em0
and athn0 will be relevant for this case.
# uname -a
OpenBSD my.host.name 7.3 GENERIC.MP#1125 amd64
# ifconfig em0 # I've zeroed out the lladdr
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:00:00:00:00
description: egress interface
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
# ifconfig athn0 # I've zeroed out the lladdr, bssid and changed the nwid.
athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:00:00:00:00
description: wireless interface
index 4 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect mode 11n hostap
status: active
ieee80211: nwid mynw chan 56 bssid 00:00:00:00:00:00 -67dBm
wpakey wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
inet 192.168.3.2 netmask 0xffffff00 broadcast 192.168.3.255
What I want to do is NAT the wireless interface to the
egress interface. I have this experimental pf setup,
which has many problems, and which therefore has a big
comment at the top:
# PF configuration file to test matching and NAT
#
# DO NOT USE IN PRODUCTION
#
set skip on lo
block log all # Rule 0
pass in on em0 proto tcp to any port 22 # Rule 1
pass out on em0 proto tcp from any port 22 # Rule 2
pass out on em0 proto udp to any port 53 # Rule 3
pass in on athn0 # Rule 4
# Rule 5
match out log on em0 from athn0:network to any nat-to (em0)
# Rule 6
pass out log on em0 from athn0:network to any
Rules 1--3 are there so I can do my experiments over
SSH. These rules affect the rule numbering as shown by
pflog, but are otherwise not the point.
Is there anything you see in these rules, especially
in rules 5 and 6, that is not correct? I don't think
so, I've taken this almost verbatim from the pf FAQ
https://www.openbsd.org/faq/pf/nat.html.
When I connect my phone to the wireless network on
athn0, this is what I see:
# doas tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Jun 23 12:48:28.349710 rule def/(ip-option) pass in on athn0: :: >
ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1]
Jun 23 12:48:28.714929 rule 5/(match) match out on em0:
192.168.3.32.54151 > 172.217.168.68.443: S 940430546:940430546(0) win
65535 <mss 1460,sackOK,timestamp 7902429 0,nop,wscale 8> (DF)
Jun 23 12:48:28.714932 rule 0/(match) block out on em0:
192.168.3.32.54151 > 172.217.168.68.443: S 940430546:940430546(0) win
65535 <mss 1460,sackOK,timestamp 7902429 0,nop,wscale 8> (DF)
Jun 23 12:48:28.716461 rule 5/(match) match out on em0:
192.168.3.32.37973 > 216.58.215.227.80: S 2291102750:2291102750(0) win
65535 <mss 1460,sackOK,timestamp 7902430 0,nop,wscale 8> (DF)
Jun 23 12:48:28.716463 rule 0/(match) block out on em0:
192.168.3.32.37973 > 216.58.215.227.80: S 2291102750:2291102750(0) win
65535 <mss 1460,sackOK,timestamp 7902430 0,nop,wscale 8> (DF)
Jun 23 12:48:29.728732 rule 5/(match) match out on em0:
192.168.3.32.54151 > 172.217.168.68.443: S 940430546:940430546(0) win
65535 <mss 1460,sackOK,timestamp 7902730 0,nop,wscale 8> (DF)
Jun 23 12:48:29.728736 rule 0/(match) block out on em0:
192.168.3.32.54151 > 172.217.168.68.443: S 940430546:940430546(0) win
65535 <mss 1460,sackOK,timestamp 7902730 0,nop,wscale 8> (DF)
As you can see, the packet is being matched by the
match rule (rule 5) but then NOT matched by the pass
rule (rule 6) and consequently by the block-all rule
(rule 0).
When I remove rule 5 and change rule 6 to
this (making it the new rule 5):
pass out log on em0 from athn0:network to any nat-to (em0)
this is what I see in the logs:
Jun 23 12:50:59.791736 rule def/(ip-option) pass in on athn0: :: >
ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1]
Jun 23 12:51:00.091647 rule def/(ip-option) pass in on athn0: :: >
ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1]
Jun 23 12:51:00.152530 rule 5/(match) pass out on em0:
192.168.3.32.37988 > 216.58.215.227.80: S 749016608:749016608(0) win
65535 <mss 1460,sackOK,timestamp 7933520 0,nop,wscale 8> (DF)
Jun 23 12:51:00.152614 rule 5/(match) pass out on em0:
192.168.3.32.54168 > 172.217.168.68.443: S 2019795291:2019795291(0) win
65535 <mss 1460,sackOK,timestamp 7933520 0,nop,wscale 8> (DF)
In other words, now the same packets that weren't
passed using the match/pass combo are not passed when
the nat-to is part of the pass rule.
No matter how I read the docs, there is no way I can explain what's
happening. Yet my setup is so simple that I MUST be doing something
wrong, right?
Can you help me see what's going on?
Cheers
Stephan
PS: I didn't want to make this message even longer by
including a dmesg, but it is of course available on
request.
