On 2020-09-26, Jan Betlach wrote:
>
> Hi,
>
> I’ve setup Wireguard on my home router running -current.
> The tunnel works, I have access to my LAN resources ONLY in case pf is
> disabled. When I enable pf, Wireguard connects, does handshakes, however
> I cannot even ping the router nor access anything in the network.
>
> So that it seems my rules in pf are the reason. I admit I am a novice in
> respect with pf. Therefore I’d like to ask you to help or direct me to
> a solution.
>
> My pf rules are pretty easy, basically taken from FAQ - building a
> router. Here they are:
>
> wan="em0"
> lan="em1"
> localnet=$lan:network
> table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
> 203.0.113.0/24 }
> set skip on lo0
> set block-policy drop
> set loginterface egress
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> antispoof quick for { egress $lan }
> block in quick on egress from to any
> block return out quick on egress from any to
> block all
> pass out quick inet keep state
> pass in on { $lan } inet keep state
> pass in proto udp from any to any port XXX keep state
> match out on egress from (wg0:network) to any nat-to (egress:0)
One thing I've noticed, you "pass out quick" so outbound traffic
"short circuits" the rest of the ruleset, then later have a second
match...nat-to which is unreached by outbound traffic. Though that
should be a noop anyway because you ahve the earlier "match out on
egress inet from !(egress:network)" which I think already will have
natted the relevant traffic.
Another, the only *inbound* traffic you allow is on $lan or udp to
some port; there's no rule to pass inbound (encapsulated) traffic
from the wireguard interface, only the wireguard tunnel itself.
So you probably want "pass in on wg0" or something.