Re: probably bug in using in combination rdomain + nat-to + specific ip addresses
Sorry for a huge delay in responding. You're right that I've missed the quick keyword. However, it appears to me that your problem stems from the fact that you don't have a gateway in rdomain 100. You must have some valid route in every rdomain otherwise routing won't happen at all. Point the default route to yourself if there's nothing else there. On 23 July 2016 at 13:38, Imre Oolbergwrote: > Hi! > > I am sorry for the delay but I still think this must be a bug somewhere. My > first pass rules apply because they are 'quick' and because i see traffic > also in pflogs. And without changing anything in packet filter and only > changing ip aadresses so that computer behind firewall does not match with > firewall's internet facing side, everythins starts to work (and with this > workaround i went). > > > Best regards, > > Imre > > > > Hi Imre, > > Not sure you've got a reply to this (I was going through unread mail > on bugs@), but your "pass all flags" rule is a last match thus neither > of the other pass rules are taken into account. > > Cheers, > Mike > > On 28 May 2016 at 00:20, wrote: > Hi! > > I think i stumbed onto a bug related to using in combination rdomain, > specific set on ip aadresses and pf doing nat-to. > > I have OpenBSD v. 5.9 installed from .iso, not patches applied and not > special programs insalled or running > > # uname > OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64 > > In my setup OpenBSD acts as a firwall, it has two network interfaces, one > faceing internet and another internal network. > > vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side > vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side > > in rdomain 0 gateway is 192.168.1.254 > in rdomain 100 no gateway is set > > computer behind OpenBSD in rdomain 100 (and vlan10) has ip address > 192.168.1.146 and gw 192.168.1.254. > > OpenBSD ruleset is essentially > > # pfctl -sr > pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag > FROM_INTRANET rtable 0 > pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to > 192.168.1.146 > pass all flags S/SA > > Now, when sending packets from computer behind this OpenBSD firewall thru it > tcp connections aint established, for some reason OpenBSD rejects incoming > syn-ack packets > > # tcpdump -ni vio0 port 873 > tcpdump: listening on vio0, link-type EN10MB > 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S > 233483646:233483646(0) win 29200 0,nop,wscale 6> (DF) > 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S > 344980263:344980263(0) ack 233483647 win 28960 174805425 7512261,nop,wscale 7> (DF) > 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R > 233483647:233483647(0) win 0 (DF) > > If i change computer's address behind OpenBSD different from the vio0 > address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this > is a bug or still i am doing something wrong. > > You may wonder why this kind of ugly setup is useful. It is not designed > from the ground up like this. It is just so to say 'OpenBSD to the rescue' > to get one legacy system connected to the internet more-or-less controlled > way. In that legacy system ip config cant be changed so OpenBSD is placed in > between the legacy system and the rest of the network and it is doing this > strange mapping. > > > Best regards, > > Imre
Re: probably bug in using in combination rdomain + nat-to + specific ip addresses
Hi! I am sorry for the delay but I still think this must be a bug somewhere. My first pass rules apply because they are 'quick' and because i see traffic also in pflogs. And without changing anything in packet filter and only changing ip aadresses so that computer behind firewall does not match with firewall's internet facing side, everythins starts to work (and with this workaround i went). Best regards, Imre Hi Imre, Not sure you've got a reply to this (I was going through unread mail on bugs@), but your "pass all flags" rule is a last match thus neither of the other pass rules are taken into account. Cheers, Mike On 28 May 2016 at 00:20,wrote: Hi! I think i stumbed onto a bug related to using in combination rdomain, specific set on ip aadresses and pf doing nat-to. I have OpenBSD v. 5.9 installed from .iso, not patches applied and not special programs insalled or running # uname OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64 In my setup OpenBSD acts as a firwall, it has two network interfaces, one faceing internet and another internal network. vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side in rdomain 0 gateway is 192.168.1.254 in rdomain 100 no gateway is set computer behind OpenBSD in rdomain 100 (and vlan10) has ip address 192.168.1.146 and gw 192.168.1.254. OpenBSD ruleset is essentially # pfctl -sr pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag FROM_INTRANET rtable 0 pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to 192.168.1.146 pass all flags S/SA Now, when sending packets from computer behind this OpenBSD firewall thru it tcp connections aint established, for some reason OpenBSD rejects incoming syn-ack packets # tcpdump -ni vio0 port 873 tcpdump: listening on vio0, link-type EN10MB 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S 233483646:233483646(0) win 29200 (DF) 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S 344980263:344980263(0) ack 233483647 win 28960 1460,sackOK,timestamp 174805425 7512261,nop,wscale 7> (DF) 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R 233483647:233483647(0) win 0 (DF) If i change computer's address behind OpenBSD different from the vio0 address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this is a bug or still i am doing something wrong. You may wonder why this kind of ugly setup is useful. It is not designed from the ground up like this. It is just so to say 'OpenBSD to the rescue' to get one legacy system connected to the internet more-or-less controlled way. In that legacy system ip config cant be changed so OpenBSD is placed in between the legacy system and the rest of the network and it is doing this strange mapping. Best regards, Imre
Re: probably bug in using in combination rdomain + nat-to + specific ip addresses
Hi Imre, Not sure you've got a reply to this (I was going through unread mail on bugs@), but your "pass all flags" rule is a last match thus neither of the other pass rules are taken into account. Cheers, Mike On 28 May 2016 at 00:20,wrote: > Hi! > > I think i stumbed onto a bug related to using in combination rdomain, > specific set on ip aadresses and pf doing nat-to. > > I have OpenBSD v. 5.9 installed from .iso, not patches applied and not > special programs insalled or running > > # uname > OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64 > > In my setup OpenBSD acts as a firwall, it has two network interfaces, one > faceing internet and another internal network. > > vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side > vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side > > in rdomain 0 gateway is 192.168.1.254 > in rdomain 100 no gateway is set > > computer behind OpenBSD in rdomain 100 (and vlan10) has ip address > 192.168.1.146 and gw 192.168.1.254. > > OpenBSD ruleset is essentially > > # pfctl -sr > pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag > FROM_INTRANET rtable 0 > pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to > 192.168.1.146 > pass all flags S/SA > > Now, when sending packets from computer behind this OpenBSD firewall thru it > tcp connections aint established, for some reason OpenBSD rejects incoming > syn-ack packets > > # tcpdump -ni vio0 port 873 > tcpdump: listening on vio0, link-type EN10MB > 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S > 233483646:233483646(0) win 29200 0,nop,wscale 6> (DF) > 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S > 344980263:344980263(0) ack 233483647 win 28960 174805425 7512261,nop,wscale 7> (DF) > 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R > 233483647:233483647(0) win 0 (DF) > > If i change computer's address behind OpenBSD different from the vio0 > address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this > is a bug or still i am doing something wrong. > > You may wonder why this kind of ugly setup is useful. It is not designed > from the ground up like this. It is just so to say 'OpenBSD to the rescue' > to get one legacy system connected to the internet more-or-less controlled > way. In that legacy system ip config cant be changed so OpenBSD is placed in > between the legacy system and the rest of the network and it is doing this > strange mapping. > > > Best regards, > > Imre >