PF+OpenVPN+tap

[Henry Graterol]

  Hello,

Before I start let me state that I am not an expert on freebsd, I do 
enjoy it and consider it a hobby, and love it!

I have a problem. I use a freebsd server behind a router/gateway to 
connect clients with openvpn. I started to notice weird traffic so I 
decided to try PF to control traffic. My openvpn setup uses a tap 
adapter and a bridge adapter bridging the vpnclient_ips and the server_ip.

Without PF everything works fine, so no problem there. When I activate 
PF I can establish connection to the server_ip from outside thru the vpn 
but I can not ping, connect to clients or the internet. After trial and 
error the setup that worked for me was to skip filter on bridge0 and 
tap0. With this in my configuration vpn worked as before.

Now the problem, when I reboot the system my vpn allows connections but 
repeats the past scenario (no ping, connection to clients, internet, 
etc)  The fix I have found is to let the system reboot and then issue a 
pfctl -f /etc/pf.conf to reload the rules. Then everything works again.

My guest is that PF is loading before the bridge and tap adapters come 
up so that is somehow skipped from loading. My tap connection is set up 
to come up from a script when it gets a connection from openvpn.

Is this a correct guest? What else could be the problem?

Thank you in advance for your feedback!