I have an architecture like the one of the picture in attachment, and I have an issue with PF. I don't if it's a bug of, maybe I should post to b...@openbsd.org.
I created a virtual network with VXLAN, it's 192.168.3.0/24. VTEP1 and VTEP2 are connected to H3 via p2p interfaces: 10.13.11.0/30 and 10.13.12.0/30. H3 has this route configured for 192.168.3.0/24 to VTEP1: # route show -inet 192.168.3/24 10.13.11.2 (please find attached picture) 1) Echo request from H3 (10.13.11.1) to VM2 (192.168.3.121) is routed to VTEP1. VTEP1# pfctl -s state all icmp 192.168.3.121:8 <- 10.13.11.1:17863 0:0 all icmp 10.13.11.1:17863 -> 192.168.3.121:8 0:0 2) The echo request reaches VM2 via vxlan. 3) VM2 sends back the echo reply, via VTEP2, but it receives a port unreachable: VM2# tcpdump -ni vio0 icmp 10.13.11.1 > 192.168.3.121: icmp: echo request 192.168.3.121 > 10.13.11.1: icmp: echo reply 192.168.3.12 > 192.168.3.121: icmp: 10.13.11.1 proto 1 port 62908 unreachable PF on VTEP2 doesn't have any state associated to the echo request, so, the echo reply is not routed to H3. If I disable PF on VTEP2 (VTEP2# pfctl -d), the echo reply is successfully routed to H3. I tried to configure this PF rule on VTEP2, but the result is the same: pass inet from 192.168.3.0/24 to any no state Even with this rule, the traffic doesn't flow from H3 to VM2 with PF enabled. I would like to have PF enabled anywhere, anyway, I don't know if: 1 - PF with the 'no state' rule should let the traffic flow, it means that PF has a bug, or 2 - PF behaves as expected and traffic must not flow, or 3 - the 'no state' rule is the wrong rule to let the traffic flow. If so, I ignore what rule should be used in /etc/pf.conf. Any thought is more than welcome