Can't ping PF gateway.

A

adamBB

Hey guys

I am new to FreeBSD, I had a friend help me set up a a FreeBSD machine as a DHCP server and a gateway using PF Firewall. When I get leased an IP from the box I can no longer seem to ping/ssh into the FreeBSD box, but it still routes just fine and the rules work a charm.

Here are the current configurations:

/etc/rc.conf
Code: 
hostname="pathfinder"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
# -- sysinstall generated deltas -- # Fri May 31 04:15:56 2013
ifconfig_em0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_em1="inet 192.168.1.1  netmask 255.255.255.0"
gateway_enable="YES"
defaultrouter="192.168.1.253"
hostname="pathfinder"
sendmail_enable="NONE"
openvpn_enable="YES"
openvpn_if="tun"
pf_enable="YES"                  # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
dhcpd_enable="YES"

ifconfig:
Code: 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:64:22:51
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::a00:27ff:fe64:2251%em0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:8e:e9:fa
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe8e:e9fa%em1 prefixlen 64 scopeid 0x3
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::a00:27ff:fe64:2251%tun0 prefixlen 64 scopeid 0x5
        inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 722

/etc/pf.conf
Code: 
lan_net="192.168.0.0/24"
int_if="em0"
ext_if="em1"
ext_if2="tun0"

gw1="192.168.1.254"
gw2="192.168.1.253"
gw3="10.8.0.1"

set skip on lo
scrub in all

nat on $ext_if from $lan_net -> $ext_if
nat on $ext_if2 from $lan_net -> $ext_if2

pass in quick on $int_if route-to ($ext_if $gw2)  from 192.168.0.20 to any

pass in quick on $int_if route-to ($ext_if2 $gw3) inet proto tcp from $lan_net to any port {80,443,25,110,22,6667}
pass in quick on $int_if route-to ($ext_if2 $gw3) inet proto udp from $lan_net to any port 53
pass in quick on $int_if route-to ($ext_if $gw1) from $lan_net to any

pass in all
pass out all


/usr/local/etc/dhcp.conf
Code: 
option domain-name "pathfinder.org";
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.129 192.168.0.200;
  option routers 192.168.0.1;
}


/usr/local/etc/openvpn/openvpn.conf
Code: 
client
dev tun
proto udp
remote 103.246.xxx.yyy 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert for-all-my-computers.crt
key for-all-my-computers.key
ns-cert-type server
comp-lzo
verb 3
 
Additionally, when doing a traceroute out of a machine it will not show the 192.168.0.1 gateway but instead will show the next hop:

Machine configuration:
Code: 
IPv4 Address. . . . . . . . . . . : 192.168.0.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

tracert google.com
Code: 
Tracing route to google.com [131.203.3.152]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  GW2 [192.168.1.253]
  2     4 ms     8 ms     4 ms  wagyu.lightwire.co.nz [114.134.15.253]
  3     3 ms     4 ms     3 ms  gw-gbk.rurallink.co.nz [114.134.15.222]
  4     5 ms     5 ms     7 ms  TenGigabitEthernet0-2-0-828.akkin-rt1.fx.net.nz

I would have expected to see the first hop being 192.168.0.1?
 
Hi @adamBB,

Welcome to the forums. Looking through the rules you are splitting the traffic to different gateways, based on source IP address, ports or DNS traffic.

I think the "skipping" of your server in the traceroute is based on the pf.conf, especially the route-to part.

Code: 
pass in quick on $int_if [color="Red"]route-to[/color] ($ext_if $gw2)  from 192.168.0.20 to any

pass in quick on $int_if [color="Red"]route-to[/color] ($ext_if2 $gw3) inet proto tcp from $lan_net to any port {80,443,25,110,22,6667}
pass in quick on $int_if [color="Red"]route-to[/color] ($ext_if2 $gw3) inet proto udp from $lan_net to any port 53
pass in quick on $int_if [color="Red"]route-to[/color] ($ext_if $gw1) from $lan_net to any

Try these rules without the route-to.

If I understand the section in pf.conf(5) correctly, those packets affected by route-to are directly transferred to the given address. And these rules only work one-way. As no protocol is specified even the ICMP packets get transferred (rule 1 if you have 192.168.0.20 or rule 4).

I have not used any route-to rule in my configurations, so I am not sure if you need a route back corresponding to the outgoing rule.

Does this make sense?
 
Last edited by a moderator:
Oh I understand now why the first hop will not be 192.168.0.1

So if I understand correctly the pf rules were that all traffic (including 192.168.0.1) gets pushed out the gateways rather than just simply reaching the machines?

I just added this rule above the filters and seems I can ping and access the FreeBSD box just fine now

Code: 
#pass in quick any packets destined for the FreeBSD gateway itself
pass in quick on $int_if from $lan_net to $int_if

Is this the proper solution? or is this a hack that should be avoided?
 
You must log in or register to reply here.
Back
Top