PF doesn't see some packets on transparent bridge

[Илья Шипицин]

Hello everybody.

the situation is:


(Internet)----->OpenBSD(bgp router)-----> ISA Server <------another
router <-------(Internet)


actually we are migrating ISA server from any network range (the old
one) to new network range, routed via OpenBSD. at this time ISA must
work with 2 network ranges (which is not supported even for Forefront
TMG).

the problem is - ISA routes all outgoing packets to its default
router. even packets with src="new network".

what I tried to do

(Internet)----->OpenBSD(bgp router)-----> ISA Server <--[  OpenBSD
bridge   ]----another router <-------(Internet)

+-----------------------------------------------------------------+


it's easily done by using vlans. so OpenBSD acts as transparent bridge:

# cat /etc/bridgename.bridge0
add vlan7
add vlan2
up
rulefile /etc/bridge.conf
# cat /etc/bridge.conf
pass in on vlan2 tag xxx
pass out on vlan2 tag xxx
pass in on vlan7 tag xxx
pass out on vlan7 tag xxx
#

(packets are tagged just in case).


what I meant to do is

1) packet comes from OpenBSD bgp network
2) it goes to ISA server
3) the response goes out to "old network"
4) PF catches the packet and "puts it back"

however, bridge itself works good, ISA doesn't see it at all.
but I cannot even "match" packets on PF.

# cat /root/pf.conf
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
set block-policy return

match from N.N.N.0/24 to any tagged xxx

block out quick on carp6 from <rfc1918> to any
pass            # to establish keep-state

and... no packets counters:

#pfctl -sa -v
FILTER RULES:
match inet from N.N.N.0/24 to any tagged xxx
  [ Evaluations: 2150      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 14757 State Creations: 0     ]
block return out quick on carp6 from <rfc1918> to any
  [ Evaluations: 2150      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 14757 State Creations: 0     ]
pass all flags S/SA keep state
  [ Evaluations: 2150      Packets: 57459     Bytes: 36384014    States: 1814  ]
  [ Inserted: uid 0 pid 14757 State Creations: 1838  ]
No queue in use


why couldn't PF see those packets (they pass the bridge, no problems there) ?