You keep-state
after NAT. So on the outgoing request, what gets stateful is the IP addresses
after NAT has translated them.
With the reply coming in, you again keepstate (that is, now, check the stateful rules)
after NAT, which now already has translated the addresses back into the internal lan representation.
So, the addresses are not necessarily the same and the statefulness may not work.
Statefulness and NAT together is a pain. You may need to separate incoming and outgoing handling with branches (skipto). You should not use "via", but instead use explicit "recv" and "xmit", because "via" can be both, and that can have weird effects.
Then, if you do keepstate outgoing after NAT, you need to checkstate incoming before NAT, to have the same addresses. Or the other way round. That means you cannot use allow on the keepstate, because the checkstate will always do the very same action as the keepstate did,
and that doesn't make sense if the other one happens before the NAT. Also, a successful checkstate (that is not "allow") will then jump to the rule right after the originating keepstate and resume execution there. You may try to use record-state (which is a keep-state without implied check-state) to unmangle things a bit.
Over all, putting this together to something working is about as much fun as solving a magic-cube.
That is why I built a machine that does it automated (
https://flowm.daemon.contact)
If I put your interfaces and only
the DNS-UDP flow into the machine, it creates these - that would be a working example how it can be done (but only a quick draft, there is still a lot of refinery to add - and this needs
net.inet.ip.fw.one_pass=0 ).
Code:
/sbin/ipfw add 10 set 1 reass proto all in
/sbin/ipfw add 20 set 1 unreach6 admin-prohib log proto ip6 ext6hdr frag in
/sbin/ipfw add 30 set 1 count untag 65534 proto all
/sbin/ipfw add 40 set 1 skipto 360 proto all out
/sbin/ipfw add 50 set 1 skipto 130 proto all not recv ue0
/sbin/ipfw add 60 set 1 count proto all
/sbin/ipfw add 70 set 1 count proto all // 'Interface ue0 IN'
/sbin/ipfw add 80 set 1 count proto all
/sbin/ipfw add 90 set 1 call 65524 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 100 set 1 allow proto all src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 110 set 1 unreach filter-prohib log proto ip4 // 'init END ue0'
/sbin/ipfw add 120 set 1 unreach6 admin-prohib log proto ip6 // 'init END ue0'
/sbin/ipfw add 130 set 1 skipto 340 proto all not recv igc0
/sbin/ipfw add 140 set 1 count proto all
/sbin/ipfw add 150 set 1 count proto all // 'Interface igc0 IN'
/sbin/ipfw add 160 set 1 count proto all
/sbin/ipfw add 170 set 1 call 200 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 180 set 1 skipto 240 proto all not src-ip me not src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 190 set 1 skipto 220 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 200 set 1 check-state :f1r // 'DNS-UDP[1]'
/sbin/ipfw add 210 set 1 return proto all // 'DNS-UDP[1]'
/sbin/ipfw add 220 set 1 unreach filter-prohib log proto ip4 // 'init END igc0'
/sbin/ipfw add 230 set 1 unreach6 admin-prohib log proto ip6 // 'init END igc0'
/sbin/ipfw add 240 set 1 count untag 65534 proto all tagged 65534 // 'wan[FILTER]'
/sbin/ipfw add 250 set 1 divert 8668 proto all // 'wan[FILTER][NAT]'
/sbin/ipfw add 260 set 1 skipto 270 proto all // 'wan[FILTER]'
/sbin/ipfw add 270 set 1 call 300 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 280 set 1 allow proto all not src-ip me not src-ip 192.168.100.0/24 dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 290 set 1 skipto 320 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 300 set 1 check-state :f1 // 'DNS-UDP[1]'
/sbin/ipfw add 310 set 1 return proto all // 'DNS-UDP[1]'
/sbin/ipfw add 320 set 1 unreach filter-prohib log proto ip4 // 'post END igc0'
/sbin/ipfw add 330 set 1 unreach6 admin-prohib log proto ip6 // 'post END igc0'
/sbin/ipfw add 340 set 1 unreach filter-prohib log proto ip4
/sbin/ipfw add 350 set 1 unreach6 admin-prohib log proto ip6
/sbin/ipfw add 360 set 1 skipto 590 proto all not xmit igc0
/sbin/ipfw add 370 set 1 count proto all
/sbin/ipfw add 380 set 1 count proto all // 'Interface igc0 OUT'
/sbin/ipfw add 390 set 1 count proto all
/sbin/ipfw add 400 set 1 call 460 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 410 set 1 skipto 430 proto all src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 420 set 1 skipto 520 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 430 set 1 count untag 65534 proto all tagged 65534 // '[FILTER] DNS-UDP[1]'
/sbin/ipfw add 440 set 1 divert 8668 proto all // '[FILTER][NAT] DNS-UDP[1]'
/sbin/ipfw add 450 set 1 skipto 480 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 460 set 1 check-state :f1 // 'DNS-UDP[1]'
/sbin/ipfw add 470 set 1 return proto all // 'DNS-UDP[1]'
/sbin/ipfw add 480 set 1 call 65494 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 490 set 1 allow proto all not src-ip me not src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 500 set 1 unreach filter-prohib log proto ip4 // 'DNS-UDP[1]'
/sbin/ipfw add 510 set 1 unreach6 admin-prohib log proto ip6 // 'DNS-UDP[1]'
/sbin/ipfw add 520 set 1 unreach filter-prohib log proto ip4 // 'init END igc0'
/sbin/ipfw add 530 set 1 unreach6 admin-prohib log proto ip6 // 'init END igc0'
/sbin/ipfw add 540 set 1 count untag 65534 proto all tagged 65534 // 'wan[FILTER]'
/sbin/ipfw add 550 set 1 divert 8668 proto all // 'wan[FILTER][NAT]'
/sbin/ipfw add 560 set 1 skipto 570 proto all // 'wan[FILTER]'
/sbin/ipfw add 570 set 1 unreach filter-prohib log proto ip4 // 'post END igc0'
/sbin/ipfw add 580 set 1 unreach6 admin-prohib log proto ip6 // 'post END igc0'
/sbin/ipfw add 590 set 1 skipto 700 proto all not xmit ue0
/sbin/ipfw add 600 set 1 count proto all
/sbin/ipfw add 610 set 1 count proto all // 'Interface ue0 OUT'
/sbin/ipfw add 620 set 1 count proto all
/sbin/ipfw add 630 set 1 call 660 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 640 set 1 allow proto all not src-ip me not src-ip 192.168.100.0/24 dst-ip 192.168.100.0/24 tagged 65534 // 'DNS-UDP[1]'
/sbin/ipfw add 650 set 1 skipto 680 proto all // 'DNS-UDP[1]'
/sbin/ipfw add 660 set 1 check-state :f1 // 'DNS-UDP[1]'
/sbin/ipfw add 670 set 1 return proto all // 'DNS-UDP[1]'
/sbin/ipfw add 680 set 1 unreach filter-prohib log proto ip4 // 'init END ue0'
/sbin/ipfw add 690 set 1 unreach6 admin-prohib log proto ip6 // 'init END ue0'
/sbin/ipfw add 700 set 1 unreach filter-prohib log proto ip4
/sbin/ipfw add 710 set 1 unreach6 admin-prohib log proto ip6
/sbin/ipfw add 65484 set 1 return proto all
/sbin/ipfw add 65494 set 1 count tag 65534 proto udp dst-port 53 not src-ip me not src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 keep-state :f1r // 'DNS-UDP[1]'
/sbin/ipfw add 65504 set 1 return proto all // 'DNS-UDP[1]'
/sbin/ipfw add 65514 set 1 return proto all
/sbin/ipfw add 65524 set 1 count tag 65534 proto udp dst-port 53 src-ip 192.168.100.0/24 not dst-ip me not dst-ip 192.168.100.0/24 keep-state :f1 // 'DNS-UDP[1]'
/sbin/ipfw add 65534 set 1 return proto all // 'DNS-UDP[1]'