nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please, may somebody help with the subj? is it possible at all on FreeBSD with pf? I need to binat some of my LAN (network A) ip addresses to some of secure communication addresses (network B) for, behind IPSec network C, access target <-> world <--> em0 - freebsd - vlanA <--> LAN ^^ net A || +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ when I land some B network address on freebsd box, than everything from that address works but, when I try to bi/nat some network A address to some network B address, it is not in pf.conf I try this: binat on vlanA from A1 to C3 -> B2 where: A1 is some address from net A B2 is some address from net B C3 is some address from net C I can see incoming packets from A1 to C3 on interface vlanA, but after that, packets "disappears", I can not find them any other interface and no return packets as far as I know I need "nat before vpn" ... but I was not able to find how to do that ... can I do that with pf on freebsd? I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf please, help me understand what am I missing ... - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU 078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF =2FPq -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 wishmaster wrote: > If I understand you correctly, you want binat inside IPSec and I'm not sure ... what I want is to nat packets from net A before they are entering IPSec, as if they originate not on the freebsd host so, they enters IPSec already as net B packets ... - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7QRsACgkQr3jpPg/3oyoDeACglvxBxGXrq1/F5UxjKBIZLuj2 jN8AoNSp+doX77JlS1o4uFnhyQT0C4sC =HPrd -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > target <-> world <--> em0 - freebsd - vlanA <--> LAN > ^^ net A > || > +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ > ... > where: > A1 is some address from net A > B2 is some address from net B > C3 is some address from net C > > I can see incoming packets from A1 to C3 on interface vlanA, but after > that, packets "disappears", I can not find them any other interface and > no return packets finally I was able to get the packets redirected (actually after pf restart, not just reload) and now I have A1 packet going to C3 on vlanA # tcpdump -ni tun10 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes 07:10:57.641536 IP A1 > C3: ICMP echo request, id 59179, seq 8913, length 64 07:10:58.641467 IP A1 > C3: ICMP echo request, id 59179, seq 8914, length 64 07:10:59.641882 IP A1 > C3: ICMP echo request, id 59179, seq 8915, length 64 and further I can see them on the interface, IPSec configured on: # tcpdump -ni em1 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 07:12:28.638456 IP A1 > C3: ICMP echo request, id 59179, seq 9004, length 64 07:12:29.636961 IP A1 > C3: ICMP echo request, id 59179, seq 9005, length 64 07:12:30.637647 IP A1 > C3: ICMP echo request, id 59179, seq 9006, length 64 but these packets *does not passing through the nat* ... in pf.conf I do: rdr pass on $if_vpn from A1 to C -> $target-side-of-ipsec binat on $if_vpn from A1 to C3 -> B2 and net.inet.ipsec.filtertunnel is set to 1 is bellow URL the answer? http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106 - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ =2rY3 -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
nat lan to tun (nat before vpn)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, just was stumbled on the subject ... please, may somebody advise what am I missing? I have: FreeBSD 10.0-STABLE #0 r261303 BoxA: LAN: 192.168.0.1/24 TUN (OpenVPN): 172.16.10.1 with route to 172.16/12 set via tun BoxB: LAN: 192.168.0.2/24 with route to 172.16/12 set via boxA lan I need: to give access to 172.16/12 for boxB via nat on boxA in boxA pf.conf: nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1 pass in log on tun1 pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2 when I spawn traffic to 172.16/12 from boxB I can see packets on lan boxA but nothin is on boxA tun ... so, can I do that this way or I need something yet? is it nat-before-vpn case which is not implemented in FreeBSD pf yet (at last it was so)? - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlPM0pEACgkQr3jpPg/3oyoSvwCg3XKMmYZ+i4Hewv/Lyde/pzZ3 uvYAoNkplMMP4+C9r/PP4Jw/Zg9JQJXo =H//M -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
pfctl ... driver does not support altq
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 greetings, I see, in list the issue appears from time to time but I was not able to find the solution for my case, please help me to get working altq on my igb(4) if it is possible at all I was trying igb(4) original OS drivers and the one from Intel but the result is the same bellow are my details: > uname -a FreeBSD 10.0-RELEASE-p11 #2 r273597 and64 > dmesg - ---[ quotation start ]--- igb3: port 0xa000-0xa01f mem 0xf710-0xf717,0xf718-0xf7183fff irq 19 at device 0.0 on pci7 igb3: Using MSIX interrupts with 5 vectors igb3: Ethernet address: 00:25:90:d1:dc:6b igb3: Bound queue 0 to cpu 0 igb3: Bound queue 1 to cpu 1 igb3: Bound queue 2 to cpu 2 igb3: Bound queue 3 to cpu 3 - ---[ quotation end ]--- > pciconf -l igb3@pci0:7:0:0:class=0x02 card=0x153315d9 chip=0x15338086 rev=0x03 hdr=0x00 vendor = 'Intel Corporation' device = 'I210 Gigabit Network Connection' class = network subclass = ethernet > /boot/loader.conf - ---[ quotation start ]--- hw.igb.rxd=4096 hw.igb.txd=4096 hw.igb.rx_process_limit="-1" hw.igb.num_queues=0 hw.igb.max_interrupt_rate=32000 net.isr.defaultqlimit=4096 net.isr.bindthreads=1 net.isr.maxthreads=4 net.isr.maxqlimit=32768 - ---[ quotation end ]--- > /usr/src/sys/amd64/conf/MY_KERNEL - ---[ quotation start ]--- options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ options ALTQ_NOPCC options ALTQ_DEBUG - ---[ quotation end ]--- > /etc/pf.conf - ---[ quotation start ]--- altq on igb3 cbq bandwidth 1000Mb queue { wan_rest, wan_viber } queue wan_viber bandwidth 5Mb priority 0 queue wan_rest bandwidth 995Mb cbq(default) - ---[ quotation end ]--- > service pf check && service pf reload Checking pf rules. Reloading pf rules. pfctl: igb3: driver does not support altq - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRYacMACgkQr3jpPg/3oyp1iwCgxQCBIWoYa5b0yKAQxVODSGNb NSYAn15io3G83u46pHN+BwRcN2ywsNIZ =waxI -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
default to wan1, definite subnet replies to wan2
greetings, I have two wan intefaces, wan1 and wan2 wan1 is for default I have subnet in my LAN all replies from which I need to direct through wan2 I hoped to do that with this pf configuration: if_service = "vlan1234" # service network table const { 10.0.0.0/24 } # requests for the service rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 nat log on $if_wan2 from to any -> ($if_wan2) ... pass in log on $if_video route-to ($if_wan3 $gw_wan3) from to ! keep state -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
wan1 as default, wan2 dedicated to a service
hi, I need trivial thing but wondering where am I wrong ... :( help please I have two WAN interfaces: wan1 and wan2 wan1 is default route interface, wan2 is dedicated for DVR (video) I'm trying to direct all output from DVR to wan2 (here I do not care of where a request to DVR came from, I want all replies to go out trough wan2) so, I hoped to do that with this pf.config ---[ start ] if_wan1 = "em0" if_wan2 = "igb0" # ip address A.B.C.D gw_wan2 = "E.F.G.H" if_dvr="vlan123" table const { 10.0.0.0/24 } # redirect all requests on wan2 to DVR host1 rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 port 5678 nat log on $if_wan2 from to any -> ($if_wan2) ... pass in log on $if_dvr route-to ($if_wan2 $gw_wan2) from to any keep state ---[ stop ] as results, I see requests from world on $if_wan2 I see redirects of the requests, out packets on $if_dvr I see replies to the requests, in packets on $if_dvr but I see ($if_wan2) sourced replies, and I see them on *$if_wan1* so, as I understand ... route-to works, otherwise replies wouldn't be from ($if_wan2) but nated replies appears on $if_wan1 what is default route ... so ... how can I have replies go out through $if_wan2? is it question of the second routing table? please, advise -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: default to wan1, definite subnet replies to wan2
sorry for noise, please ignore this incomplete message Zeus Panchenko wrote: > greetings, > > I have two wan intefaces, wan1 and wan2 > > wan1 is for default > > I have subnet in my LAN all replies from which I need to direct through > wan2 > > I hoped to do that with this pf configuration: > > if_service = "vlan1234" # service network > table const { 10.0.0.0/24 } > # requests for the service > rdr pass on $if_wan2 proto { tcp, udp } to ($if_wan2) port 1234 -> 10.0.0.1 > port 5678 > nat log on $if_wan2 from to any -> ($if_wan2) > ... > pass in log on $if_video route-to ($if_wan3 $gw_wan3) from to ! > keep state > -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: wan1 as default, wan2 dedicated to a service
Max wrote: > Probably you should use > pass out log on $if_dvr reply-to ($if_wan2 $gw_wan2) to thank you, Max, this helped -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
psync for sshguard table sync on several hosts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please advise I think of pfsync-ing sshguard table content among several hosts to get one big table on each host, since IP blocked on one host I want to be blocked on all others automatically (all hosts are terminated in one VPN) ... am I correct to consider psync as right way to get that? - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlf9KHEACgkQr3jpPg/3oyojOwCgpZbc04rwL41LIIDaVDPgR7Vi G8QAoOP5wj87qh4JpT7NePGvnZBbplp2 =NSkz -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: pfsync for sshguard table sync on several hosts
mxb wrote: > Use BGP to distribute list of IP addresses. > Like it is done at http://bgp-spamd.net/ what about pfsync indeed? I need black list of addresses I do can control on my own and to install BGP infrastructure for local needs looks excessive isn't psync aimed for the tasks like this one? -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) pgpXSyCIWQRD7.pgp Description: PGP signature
[Q] what is the correct way to filter by remote pf?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 greetings please, advise WHAT I HAVE: routerB <-> netX/16 ^ | V clients <-> routerA <-> netX/24 WHAT I NEED: to provide `clients <-> netX/24' traffic on the base of routerB pf rules so, the very decission to pass or to block have to be done on routerB HOW I THINK TO DO THAT: = VARIANT I - - - ---[ routerA pf.conf quotation start ]--- ... pass in log (to pflog1) on $if_clients-to-routerA from to tag TO_AUTH pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH ... - ---[ routerA pf.conf quotation end ]--- - ---[ routerB pf.conf quotation start ]--- ... pass in log (to pflog1) on $if_routerB-to-routerA from to tag AUTHED pass in log (to pflog1) route-to ($if_routerB-to-routerA $routerA_ip) tagged AUTHED block to ... - ---[ routerB pf.conf quotation end ]--- RESULTS: I see packets redirected to routerB, but there the packets are looping untill the time to live exceeded = VARIANT II - - - ---[ routerA pf.conf quotation start ]--- ... pass in log (to pflog1) on $if_clients-to-routerA from to tag TO_AUTH pass in log (to pflog1) route-to ($if_routerA-to-routerB $routerB_ip) tagged TO_AUTH ... - ---[ routerA pf.conf quotation end ]--- - ---[ routerB configuration quotation start ]- rc.conf static_routes="netX24" route_netX24="-net A.B.C.0/24 $routerA_ip" pf.conf pass in log (to pflog1) on $if_routerB-to-routerA from to tag AUTHED block to - ---[ routerB configuration quotation end ]- RESULTS: are same as for VARIANT I = VARIANT III - - something else ... may it relate to pfsync somehow? - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCWVJGygAKCRCveOk+D/ej KhQoAKCHB+55dzTYOqD6S5mSC2TtCDjV8gCgzXQfBd3U30nXJMyj5Q4Ggfq1sRA= =ZCm0 -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
[Q] is there way to use bgp-spamd.net?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, is there way to use BGP to block traffic, like it is described on https://www.bgp-spamd.net/index.html or even BGP feeds from spamhaus https://www.spamhaus.org/news/article/683/spamhaus-releases-bgp-feed-bgpf-and-botnet-cc-list-bgpcc - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- iF0EARECAB0WIQQYIXL6FUmD7SUfqoOveOk+D/ejKgUCXDwgjQAKCRCveOk+D/ej KjLDAJ0a+9Q82cUVufYDn9c3Saq8Q0ARtgCggnadaidgIm4lBFQMUmOFEFl8b4I= =4djw -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"