Re: How to Force Packet Traversal Order (IPFW2 => PF)
- In reply to: Martin Beran : "Re: How to Force Packet Traversal Order (IPFW2 => PF)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 02 Aug 2021 08:38:06 UTC
Thank you all , I made further research and found same issue (Multi WAN + Captive Portal not working when pf+ipfw enabled same time) on OPNSENSE first mention is here: https://github.com/opnsense/core/issues/1166 here is the OPNSENSE solution: https://git.furworks.de/opensourcemirror/opnsense-src/commit/83fd8a61b942d84f553e53127c4be02b318f7cf4 https://reviews.freebsd.org/D8109 https://reviews.freebsd.org/D8109 i will try solutions above links and hope this helps me and others.. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, August 1st, 2021 at 1:19 AM, Martin Beran <martin@mber.cz> wrote: > pá 30. 7. 2021 v 13:41 odesílatel alfadev via freebsd-ipfw < > > freebsd-ipfw@freebsd.org> napsal: > > > Hi, > > > > I have to use both IPFW and PF sametime in my freebsd 12.2 gateway > > > > According to my observations firewalls are following this order all of my > > > > scenarios PF => IPFW2. I see this exactly When i use PF's route-to option . > > > > When i create Load-Balancing rule using PF's route-to, packets not entering > > > > into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidth, > > > > captive portal etc. does not works. > > > > So that > > > > i am trying to do this order: > > > > input => ipfw => pf > > > > but i think i cannot change this order without touching kernel level . > > > > when i made some research i found this > > > > https://www.opennet.ru/tips/info/1431.shtml > > I think that you do not need to touch kernel source, nor build a custom > > kernel. The order of calling packet filtering modules depends on the order > > of registering the modules to packet processing hooks. Instead of loading > > the modules by their respective startup scripts, you can load them in the > > required order by including them in /etc/rc.conf in variable kld_list. I do > > not remember if the order of calling is the same or the opposite of the > > order of module loading. > > Martin Beran