Re: pf - NAT not working after systemboot

2018-07-27 Thread Marko Cupać 
On Fri, 27 Jul 2018 12:33:01 +0300
Ville Valkonen  wrote:

> On 26 July 2018 at 13:01, Thomas Huber  wrote:
> > Hi misc,
> >
> > my current pf setup works fine but I face the problem, that NAT
> > does not work directly after system boot. Only when a do a
> >
> > # pfctl -f /etc/pf.conf
> >
> > after the booting things a working correctly.
> > Note: I don´t make any changes to pf.conf.
>
> as Solene mentioned, it's because the interface is not ready.
> 
> Maybe something like this (adapted from iked.conf manual page):
> all rules that have pppoe mentioned, append (if-bound).

I am using pf with pppoe for more than a decade on dozens of boxes and
never got into a problem with NAT not working. On some crappy providers
it is not unusual to wait for 10 minutes after reboot for pppoe to
negotiate and get IP address. Also, sometimes pppoe link goes down and
don't come back for hours. None of this requires reloading of pf rules,
it just waits until pppoe reconnects, box usually gets different public
IP adress, and after that NATs to new address.

Am I missing something?
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf - NAT not working after systemboot

2018-07-27 Thread Ville Valkonen 
On 26 July 2018 at 13:01, Thomas Huber  wrote:
> Hi misc,
>
> my current pf setup works fine but I face the problem, that NAT does not
> work directly after system boot. Only when a do a
>
> # pfctl -f /etc/pf.conf
>
> after the booting things a working correctly.
> Note: I don´t make any changes to pf.conf.
>
> Anybody any idea?
>
> General Setup:
> Hardware: PCengines APU2c4
> 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> 2x pppoe(4):  ADSL-uplink.
>
> Thanks!
>
> Here is the pf.conf:
>
> table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
>203.0.113.0/24 }
> set block-policy drop
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 from vlan:network nat-to (pppoe0)
> match out on pppoe1 from vlan:network nat-to (pppoe1)
> block in quick on pppoe from  to any
> block return out quick on pppoe from any to 
> block all
> pass out quick inet
>
> pass out on vlan to vlan:network
> pass in quick on vlan from vlan:network to vlan
>
> pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
> least-states sticky-address
> pass in on vlan proto tcp to port https route-to {(pppoe0 pppoe0:network),
> (pppoe1 pppoe1:network)} source-hash
>
> block return in on vlan from vlan64:network to vlan32:network
> block return in on vlan inet proto tcp from any to any port 25
> pass in on egress inet proto icmp all
> pass in on egress inet proto tcp from any to (egress) port ssh

Hello,

as Solene mentioned, it's because the interface is not ready.

Maybe something like this (adapted from iked.conf manual page):
all rules that have pppoe mentioned, append (if-bound).

--
Regards,
Ville

Re: Re : pf - NAT not working after systemboot

2018-07-26 Thread edgar 
You could try disabling pf in rc.conf then enable it in your hostname.ppoe0.
On Jul 26, 2018 6:34 AM, gro...@grompf.net wrote:
>
> Hello,
>
> For example : Try to add an anchor in your main pf.conf and populate it
> using a secondary pf-pppoe.conf file which will be loaded at the end of
> your hostname.pppoe0.
>
> Regards,
> Eric.

Re : pf - NAT not working after systemboot

2018-07-26 Thread gro...@grompf.net 
Hello,

For example : Try to add an anchor in your main pf.conf and populate it
using a secondary pf-pppoe.conf file which will be loaded at the end of
your hostname.pppoe0.

Regards,
Eric.

Re: pf - NAT not working after systemboot

2018-07-26 Thread Julien Steinhauser 
> But how can I address this ?
> The system should come up by itself without any manual interaction.

Just a workaround but adding pfctl -f /etc/pf.conf to /etc/rc.local
might help.

Re: pf - NAT not working after systemboot

2018-07-26 Thread Thomas Huber 
Hi Solene,

thanks, thats something I had also in mind.

But how can I address this ?
The system should come up by itself without any manual interaction.

--mirac


On Thu, 26 Jul 2018 at 12:07, Solene Rapenne  wrote:
>
> Thomas Huber  wrote:
> > Hi misc,
> >
> > my current pf setup works fine but I face the problem, that NAT does not
> > work directly after system boot. Only when a do a
> >
> > # pfctl -f /etc/pf.conf
> >
> > after the booting things a working correctly.
> > Note: I don´t make any changes to pf.conf.
> >
> > Anybody any idea?
> >
> > General Setup:
> > Hardware: PCengines APU2c4
> > 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> > 2x pppoe(4):  ADSL-uplink.
> >
> > Thanks!
> >
> > Here is the pf.conf:
> >
> > table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> >172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> >192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
> >203.0.113.0/24 }
> > set block-policy drop
> > set skip on lo0
> > match in all scrub (no-df random-id max-mss 1440)
> > match out on pppoe0 from vlan:network nat-to (pppoe0)
> > match out on pppoe1 from vlan:network nat-to (pppoe1)
> > block in quick on pppoe from  to any
> > block return out quick on pppoe from any to 
> > block all
> > pass out quick inet
> >
> > pass out on vlan to vlan:network
> > pass in quick on vlan from vlan:network to vlan
> >
> > pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1
pppoe1:network)}
> > least-states sticky-address
> > pass in on vlan proto tcp to port https route-to {(pppoe0
pppoe0:network),
> > (pppoe1 pppoe1:network)} source-hash
> >
> > block return in on vlan from vlan64:network to vlan32:network
> > block return in on vlan inet proto tcp from any to any port 25
> > pass in on egress inet proto icmp all
> > pass in on egress inet proto tcp from any to (egress) port ssh
>
>
> I think it's due to pppoe0 not initialized when pf starts. Same thing
> happens using tun0 from OpenVPN for example.

Re: pf - NAT not working after systemboot

2018-07-26 Thread Solene Rapenne 
Thomas Huber  wrote:
> Hi misc,
> 
> my current pf setup works fine but I face the problem, that NAT does not
> work directly after system boot. Only when a do a
> 
> # pfctl -f /etc/pf.conf
> 
> after the booting things a working correctly.
> Note: I don´t make any changes to pf.conf.
> 
> Anybody any idea?
> 
> General Setup:
> Hardware: PCengines APU2c4
> 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> 2x pppoe(4):  ADSL-uplink.
> 
> Thanks!
> 
> Here is the pf.conf:
> 
> table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
>203.0.113.0/24 }
> set block-policy drop
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 from vlan:network nat-to (pppoe0)
> match out on pppoe1 from vlan:network nat-to (pppoe1)
> block in quick on pppoe from  to any
> block return out quick on pppoe from any to 
> block all
> pass out quick inet
> 
> pass out on vlan to vlan:network
> pass in quick on vlan from vlan:network to vlan
> 
> pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
> least-states sticky-address
> pass in on vlan proto tcp to port https route-to {(pppoe0 pppoe0:network),
> (pppoe1 pppoe1:network)} source-hash
> 
> block return in on vlan from vlan64:network to vlan32:network
> block return in on vlan inet proto tcp from any to any port 25
> pass in on egress inet proto icmp all
> pass in on egress inet proto tcp from any to (egress) port ssh


I think it's due to pppoe0 not initialized when pf starts. Same thing
happens using tun0 from OpenVPN for example.