From nobody Sat Sep 11 11:59:05 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 62B7E17ADC98; Sat, 11 Sep 2021 11:58:22 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05olkn2043.outbound.protection.outlook.com [40.92.91.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H6B8Y1C3lz3t3J; Sat, 11 Sep 2021 11:58:21 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aOpFA3MenPhojRglbaB8zjk1b402UurLuKAFb5dVjLfik53XkrLpHQtmmyeMKG1nUCnV39DNU1AEMYh0XpDEvmkz+nnNotwmm7rNYaconorb0XS77qSq4/rBeCFlQiN6dqDBU77WU1evWAR339uxQdfda7AdyUT/CmQ78723PUa4UvZDEjrWZohmP4vNSzYY6wTlfyKYVizbdRGip4CcVY4K+k9htkRYmevUAHUP+8ASiUiZV7vyPUKOPfAHDwDR1LmK5T/PC4JDFkjqtWkipr36MVjv967M+rnqmvA/7R1ZHulHnTAmhbzWO9K9VNeBcxhsWnrXe6w/ZdcZ4a6TJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7ZzK4lAqNmI+s6P4DdD4MRsYX6LPjm3n/4rJSLEfqEg=; b=eqh0bpd13v+ExRoV7hAAdJvggDSn8xNCa7Fj0YpfVpL3DBlsmku9wwM77aRTFg8DVuCmvuXow9+I5ktw5ggZLCCuB1mLFGegY3sYUUkxBSFAkUzgDAlPMfv+MPZvMuLpnBjHOO4r7dywhzgUBFPsMnb1nCu+gT5sBS0dvz1GJRn9+TGIhUDUl9rfz9exGw/cwSr42zjnE5pT/VpQ641JBxB0FS/eKKQDaRUyg+Tsvc0Ezj+GX1ymL47IroTA+iNTYDuIrnagivO4uPj0FMAUj254jQmdV17iZA6aYrlUFtoP9++x+HrmgZye4+Ua8ahh9VjdexVXh+tA7ynGTyTwMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from AM6EUR05FT009.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::50) by AM6EUR05HT007.eop-eur05.prod.protection.outlook.com (2a01:111:e400:fc11::374) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19; Sat, 11 Sep 2021 11:58:14 +0000 Received: from AM9PR07MB7956.eurprd07.prod.outlook.com (2a01:111:e400:fc11::4d) by AM6EUR05FT009.mail.protection.outlook.com (2a01:111:e400:fc11::265) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19 via Frontend Transport; Sat, 11 Sep 2021 11:58:14 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:42A850D55DEBA29E67AE259530EA9E189A7C581C13073D34C7ADF6E68BAD64A7;UpperCasedChecksum:0283E24F703352BCADFE1D2B56AC6C6A6ACF636547F2B2825E89B3F70EF10128;SizeAsReceived:8960;Count:47 Received: from AM9PR07MB7956.eurprd07.prod.outlook.com ([fe80::87e:4c4b:980e:2cdd]) by AM9PR07MB7956.eurprd07.prod.outlook.com ([fe80::87e:4c4b:980e:2cdd%9]) with mapi id 15.20.4523.012; Sat, 11 Sep 2021 11:58:13 +0000 Date: Sat, 11 Sep 2021 13:59:05 +0200 From: kaycee gb To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Issue with packets routing/forwarding Message-ID: In-Reply-To: References: X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.31; x86_64-slackware-linux-gnu) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TMN: [B+JyBLwZveMfX+zIE/KgXuYOImTTptPi] X-ClientProxiedBy: LO2P265CA0228.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:b::24) To AM9PR07MB7956.eurprd07.prod.outlook.com (2603:10a6:20b:30d::20) X-Microsoft-Original-Message-ID: <20210911135905.6d7d8211@slackstro.home.lan> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by LO2P265CA0228.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Sat, 11 Sep 2021 11:58:13 +0000 Received: from slackstro.home.lan ([172.16.93.19]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 18BBwBAK032515 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 11 Sep 2021 13:58:12 +0200 (CEST) (envelope-from kisscoolandthegangbang@hotmail.fr) X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 358127eb-5e7f-4e42-6bbc-08d9751b6ee3 X-MS-TrafficTypeDiagnostic: AM6EUR05HT007: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: e13aWgX3BuDdjcWdRRfDN1NNxVP/DScZkXXigPHNlpC3CPir9BVK0O8isgDtlB9XVDbBU5vo1lp8HGMN3WE4SaxcNKpQtJO695eaUg4DL7GGnGxvDjRAvXFi+AynNDdwDjRYv/+YWHM+9CbbL6QX5W9CcdjOXBDUF4h1iweXowMepjHYjJIDNL7aR07EX4AxFROKWNktwreL+FBVmc+b+nQMFaJ/Rs/Q0XjAzq/mZurWNJM07sIvXJBMp5i2awqySgNFd2dXi198Ypc0U6biR8zAsFnLUSKIGCW0QV2Imdc9goehfTj5Lve/u3UUgcN5dmB3di03bcV7+vbUHECrBbxE7YC/uDcjbSHa/ixo+6nXIYADm8nd+abCrni9Ukf/Q4jhh+vNfcG2jAmnBCqQ0NTKZuq8y7UyumWhhP4ydLaoZWgaQHMofG6Ya5oJYLAt X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 75Prmlq1LEVeJCZipsx5V3Tt+twhFLlxc3IAGF2r4oNmYE57G5z6+sxNgmYV4JiEnrEWv2tZbtfgKn0LWa1KWKT8DA5dA+FK2HHOppBks0a4NrhuRP3mhPiIEDjDWaMaw9HreEOuNVO/zH2n3qzOIg== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 358127eb-5e7f-4e42-6bbc-08d9751b6ee3 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2021 11:58:13.7258 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: AM6EUR05FT009.eop-eur05.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6EUR05HT007 X-Rspamd-Queue-Id: 4H6B8Y1C3lz3t3J X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.91.43 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-4.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_FIVE(0.00)[6]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.91.43:from]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[hotmail.fr]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; RECEIVED_SPAMHAUS_PBL(0.00)[93.1.37.139:received]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; RCVD_IN_DNSWL_NONE(0.00)[40.92.91.43:from]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-ThisMailContainsUnwantedMimeParts: N Hello, As I said on my previous message, with the configuration below, routing tra= ffic via ue0 (mobile data) works. Once I delete ue0 routes (so using default routes for everything), I use th= e adsl line and traffic from the jail do not works anymore. But ... Le Thu, 9 Sep 2021 20:02:18 +0200, kaycee gb a =C3=A9crit : > At the top of my pf.conf file, I have these lines=20 > > ... > > no nat on $VSW from $proxout > > nat on $phone_if tag PROXOUT tagged PROXOUTNAT -> ( $phone_if ) > > nat on $lan_if tag PROXOUT tagged PROXOUTNAT -> $lan_ip > >=20 > > pass out log quick on $VSW \ > > proto tcp from $proxout to port {80, 443} user 100 tag PROXOUT100 no = state > > pass in log quick on $VSW tagged PROXOUT100 tag PROXOUTNAT rtable 0 > > pass out log quick on $phone_if tagged PROXOUT rtable 0 > > pass out log quick on $lan_if tagged PROXOUT rtable 0 > >=20 > > block log quick from 109.0.64.169 > > block log quick to 109.0.64.169 =20 >=20 ... if I change pf configuration from above to this: > table const {192.168.1.0/24, 172.16.93.0/24 } > no nat on $VSW from $proxout to > nat on $VSW from $proxout tag PROXOUTVSW -> $lan_ip > nat log on $phone_if from any to any -> ( $phone_if ) >=20 > pass out log quick on $VSW \ > proto tcp to port {80, 443} tagged PROXOUTVSW user 100 rtable 0 no stat= e > block log quick from 109.0.64.169 > block log quick to 109.0.64.16 traffic from jail works as expected via adsl line.=20 If I add some routes via mobile network, this traffic do not works. I see packets that leave host via ue0 interface natted to $lan_ip. I am unable to catch and nat that traffic a second time (even with the "no state" option in pass rule).=20 > # tcpdump -qni ue0 host 109.0.64.169 and port 80 > 13:44:23.687040 IP 192.168.1.50.62336 > 109.0.64.169.80: tcp 0 > 13:44:26.960826 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:29.960986 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:33.162041 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:36.361360 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:39.562045 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:42.761973 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:44:48.964016 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:45:01.163364 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > 13:45:25.364943 IP 192.168.1.50.63442 > 109.0.64.169.80: tcp 0 > # tcpdump -tttteni pflog0 > 2021-09-11 13:44:26.960750 rule 0/0(match) [uid 100]: pass out on vsw0: > 192.168.1.50.63442 > 109.0.64.169.80: Flags [S], seq 559879806, win 65535= , > options [mss 16344,nop,wscale 6,sackOK,TS val 31788278 ecr 0], length 0 So, again I am not sure if the issue is with routing or nat. Or even maybe something else.=20 I enabled loud debugging in pf, but that gave nothing helpful. What are other options available to debug an issue like this ?=20 K.