Hello list,
IPv4 encapsulated traffic always hit rule: block log (all, to pflog0) If I set in pf.conf on both tunnel sides: set skip on {tun0, gif0} I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way. I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below: pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below: 07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) 07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6? Configs for both sides of tunnel: === Side-a === # cat /etc/hostname.gif0 # gif0 up description 'IPv4 over IPv6 tunnel' # tunnel [src IPv6] [dst IPv6] tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503 inet alias 10.190.0.1 dest 10.190.0.2 # ifconfig tun0 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 index 44 priority 0 llprio 3 groups: tun status: active inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48 === Side-b === # cat /etc/hostname.gif0 # gif0 up description 'IPv4 over IPv6 tunnel' # tunnel [src IPv6] [dst IPv6] tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5 inet alias 10.190.0.2 dest 10.190.0.1 # ifconfig tun0 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 index 44 priority 0 llprio 3 groups: tun status: active inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48 |
Some updates
ipv6-icmp for both ends with IPv6 addresses works well even without 'set skip': pass in on tun0 inet6 proto ipv6-icmp all icmp6-type {toobig, echoreq} keep state So it confirmed filtering for IPv6 is working for tun0, but do not work for IPv4 encapsulated for some reason. Please advice. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 8, 2021 7:24 AM, Martin <[hidden email]> wrote: > Hello list, > > IPv4 encapsulated traffic always hit rule: > > block log (all, to pflog0) > > If I set in pf.conf on both tunnel sides: > > set skip on {tun0, gif0} > > I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way. > > I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below: > > pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) > pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) > > No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below: > > 07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) > 07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) > > The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6? > > Configs for both sides of tunnel: > > === Side-a === > > cat /etc/hostname.gif0 > > ======================= > > gif0 > > ===== > > up > description 'IPv4 over IPv6 tunnel' > > tunnel [src IPv6] [dst IPv6] > > ============================= > > tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503 > inet alias 10.190.0.1 > dest 10.190.0.2 > > ifconfig tun0 > > ============== > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 > > index 44 priority 0 llprio 3 > groups: tun > status: active > inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c > > inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48 > > > === Side-b === > > cat /etc/hostname.gif0 > > ======================= > > gif0 > > ===== > > up > description 'IPv4 over IPv6 tunnel' > > tunnel [src IPv6] [dst IPv6] > > ============================= > > tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5 > inet alias 10.190.0.2 > dest 10.190.0.1 > > ifconfig tun0 > > ============== > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 > > index 44 priority 0 llprio 3 > groups: tun > status: active > inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c > > inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48 > |
In addition to pass encapsulated traffic by the rules below:
pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) I set incoming rule for ICMP traffic pass from tun0 and gif0 interfaces. This rule works fine if IPv4 is not encapsulated (work for all IPv4 traffic appearing on any interface affected), but with IPv4 encap it doesn't work for some reason. And ICMP packets from IPv4 encapsulated always hit block all rule. pass in on {tun0, gif0} inet proto icmp all icmp-type {echoreq, timex, paramprob, unreach code needfrag} keep state Any ideas can help. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 8, 2021 9:11 AM, Martin <[hidden email]> wrote: > Some updates > > ipv6-icmp for both ends with IPv6 addresses works well even without 'set skip': > > pass in on tun0 inet6 proto ipv6-icmp all icmp6-type {toobig, echoreq} keep state > > So it confirmed filtering for IPv6 is working for tun0, but do not work for IPv4 encapsulated for some reason. > > Please advice. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, April 8, 2021 7:24 AM, Martin [hidden email] wrote: > > > Hello list, > > IPv4 encapsulated traffic always hit rule: > > block log (all, to pflog0) > > If I set in pf.conf on both tunnel sides: > > set skip on {tun0, gif0} > > I can ping both IPv4 tunnel ends, but rdr-to rules don't work for IPv4 encapsulated packets this way. > > I've tried to allow encap protocol right after 'block log (all, to pflog0)' rule like below: > > pass in log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) > > pass out log inet proto {ipencap, encap, etherip} from any to any keep state (if-bound) > > No effect, IPv4 encapsulated traffic blocked by 'block log (all, to pflog0)' rule all the times according to tcpdump as below: > > 07:15:54.366210 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) > > 07:15:55.366422 rule 48/(match) block in on tun0: 10.190.0.1 > 10.190.0.2: [|icmp] (encap) > > The question is how to allow IPv4 encapsulated traffic for tun0 with gif0 IPv4-in-IPv6? > > Configs for both sides of tunnel: > > === Side-a === > > cat /etc/hostname.gif0 > > ======================= > > gif0 > > ===== > > up > > description 'IPv4 over IPv6 tunnel' > > tunnel [src IPv6] [dst IPv6] > > ============================= > > tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503 > > inet alias 10.190.0.1 > > dest 10.190.0.2 > > ifconfig tun0 > > ============== > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 > > > > index 44 priority 0 llprio 3 > > groups: tun > > status: active > > inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c > > > > inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48 > > > > > > === Side-b === > > cat /etc/hostname.gif0 > > ======================= > > gif0 > > ===== > > up > > description 'IPv4 over IPv6 tunnel' > > tunnel [src IPv6] [dst IPv6] > > ============================= > > tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5 > > inet alias 10.190.0.2 > > dest 10.190.0.1 > > ifconfig tun0 > > ============== > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 > > > > index 44 priority 0 llprio 3 > > groups: tun > > status: active > > inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c > > > > inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48 > > |
Free forum by Nabble | Edit this page |