PF Conflict loading rules on boot with wireguard interface

Hello everybody,


I have a problem to load my firewall rules at boot time. The rules are below:

Code:
vpn_if = wg0
nat on $ext_if from $vpn_if:network to any -> ($ext_if:0)


The conflict is because PF firewall is loaded before the VPN interface wg0 exists, it fails and no firewall rules are loaded. To avoid this issue, I reload the firewall rules once the interface is up. If somebody wants to know how to do it, I'm leaving an example:

Code:
[Interface]
Address = 10.6.0.1/24
ListenPort = 51820
PrivateKey = XXXXXXXXXXX
PostUp = pfctl -f /etc/pf.conf

Someone knows how to do this better without the wireguard interface trick?

Can I change the system load order to prevent this problem?

Thanks all.
 
Last edited:
I found the solution:

Edit the file /usr/local/etc/rc.d/wireguard and add this content:
Code:
# REQUIRE: FILESYSTEMS netif pflog pfsync routing route6d
# BEFORE: pf

You can check the boot order with:
Code:
$ rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/usr/local/etc/rc.d/wireguard
/etc/rc.d/pf
...

That's all!!
 
Back
Top