PF Wireguard, pf, nat and FIBS

[newnet82]

Hello,

I want to change my firewall (FW) because it's not a freebsd machine.

The freebsd machine will become my new firewall.
The version is "13.2-RELEASE-p8 FreeBSD 13.2-RELEASE-p8 GENERIC amd64

I want to create a Wireguard VPN tunnel between my new firewall and the outside, but only for some PC in my network.

My network for test

FW - freebsd +- PC
|_ PC1

IP of FW
@WAN
192.168.150.242

IP of freebsd
192.168.150.29
192.168.50.242

IP of PCs
192.168.50.176
192.168.50.177


with pf.conf like

LAN="ue0"
VPN="wg0"
wg_ports="{48040}"
set skip on lo0
nat log on $VPN from $LAN:network -> $VPN
pass log quick ridentifier 4

All is OK, all traffic pass in the VPN

Now, I add
sysctl net.fibs=2
sysctl net.add_addr_allfibs=1

I change the wg0.conf by adding route=1

I restart the network (service netif restart) and wireguard.

Now, I have 2 routage tables (FIBS)

netstat -r4nF0
default 192.168.150.242 UGS re0
10.140.1.0/24 link#6 U wg0

10.140.1.24 link#6 UHS lo0
127.0.0.1 link#2 UH lo0
192.168.50.0/24 link#5 U ue0
192.168.50.242 link#5 UHS lo0
192.168.150.0/24 link#1 U re0
192.168.150.29 link#1 UHS lo0


netstat -r4nF1

default link#6 US wg0
10.140.1.0/24 link#6 U wg0
127.0.0.1 link#2 UH lo0
192.168.50.0/24 link#5 U ue0
192.168.50.242 link#5 UHS lo0
192.168.150.0/24 link#1 U re0
192.168.150.29 link#1 UHS lo0



The new pf.conf file is

LAN="ue0"
WAN="re0"
VPN="wg0"
wg_ports="{48040}"

table <ViaVPN> { }
ViaVPN = "<ViaVPN>"


set skip on lo0

nat log on $VPN from $ViaVPN -> $VPN
nat log on $WAN from ! $ViaVPN tagged outVPN -> $WAN

match in log on $LAN from ! $ViaVPN tag outVPN no state ridentifier 4101001 label "WAN - match " rtable 0
match in log on $LAN from $ViaVPN tag inVPN  no state ridentifier 4101002 label "VPN - match " rtable 1

pass log quick ridentifier 4

I do a pfctl -t ViaVPN -T add 192.168.50.176 so, I hope 192.168.50.176 pass in VPN and 192.168.50.177 not

In first test, a traceroute www.meteociel.fr

from 192.168.50.176

traceroute to www.meteociel.fr (152.228.182.16), 64 hops max, 40 byte packets
 1  pf (192.168.50.242)  0.874 ms  0.429 ms  0.487 ms
 2  10.140.0.1 (10.140.0.1)  51.300 ms  51.485 ms  50.449 ms
...
16  meteociel.fr (152.228.182.16)  76.188 ms  75.054 ms  75.884 ms

from 192.168.50.177

traceroute to www.meteociel.fr (152.228.182.16), 64 hops max, 40 byte packets
 1  192.168.50.242 (192.168.50.242)  0.436 ms  0.455 ms  0.435 ms
 2  192.168.150.242 (192.168.150.242)  0.783 ms  0.666 ms  0.607 ms
...
14  meteociel.fr (152.228.182.16)  18.593 ms  18.312 ms  18.432 ms

The UDP act as I want

A second test curl https://www.meteociel.fr

from 192.168.50.176 I never receive the html page.

The result of a tcpdump on my freebsd

tcpdump -vvvneti pflog0 host 152.228.182.16
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
rule 1/0(match) [ridentifier 4101002]: unkn(12) in on ue0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.50.176.38058 > 152.228.182.16.443: Flags [S], cksum 0x535b (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0
rule 2/0(match) [ridentifier 4]: pass in on ue0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.50.176.38058 > 152.228.182.16.443: Flags [S], cksum 0x535b (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0
rule 2/0(match) [ridentifier 4]: pass out on wg0: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    10.140.1.24.56652 > 152.228.182.16.443: Flags [S], cksum 0xf26d (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0

from 192.168.50.177, I receive the html page.

Where is my error ?
Can you help me please ?

Thx

 

[newnet82]

Hello,
By searching a lot, I think the problem is around Fibs and route, so I switch this thread in the network topic.