Hi )
FreeBSD 14.1 - both sides
Firewall - Packet Filter (PF) - both sides
Sides IPSec tunnel
192.168.30.10 - side-A - work fine
192.168.40.10 - side-B - have problem with PF route-to option - below about this side.
Options sysctl on the both sides
Ping(icmp)
between side-A 192.168.30.10 <---> 192.168.40.10 side-B
Work fine.
The purpose of the task
Outgoing packets from source address 192.168.40.10(side-B) route in the ipsec-tunnel on interface ipsec0 to destination address 192.168.30.10(side-A)
After add rule in pf.conf
Standard
What else i tried ?
But PF rule "...route-to..." doesn't working.
Analysis problem on side-B 192.168.40.10
I used tcpdump for check and capture packets on interfaces
- incoming packets on ipsec0 interface
- outgoing packets from vtnet0(ext_if) interface
I decided check in general, does my solution work or not between side-A and side-B ?
Below how i checked.
I add route manually in table routing
Example IP - 200.100.100.200
Solution - work fine with static route.
Below tcpdump.
Test of solution - work, but doesn't universal variant.
Because needed dynamic access to any external ip
Why doesn't work PF route-to rule in pf.conf ?
FreeBSD 14.1 - both sides
Firewall - Packet Filter (PF) - both sides
Sides IPSec tunnel
192.168.30.10 - side-A - work fine
192.168.40.10 - side-B - have problem with PF route-to option - below about this side.
Options sysctl on the both sides
Code:
net.inet.ipsec.filtertunnel: 1
net.inet.ip.forwarding: 1Ping(icmp)
between side-A 192.168.30.10 <---> 192.168.40.10 side-B
Work fine.
The purpose of the task
Outgoing packets from source address 192.168.40.10(side-B) route in the ipsec-tunnel on interface ipsec0 to destination address 192.168.30.10(side-A)
pf.conf
Code:
pass out on vtnet0 route-to (ipsec0 192.168.30.10) from 192.168.40.10 to any
pass quick allAfter add rule in pf.conf
Standard
pfctl -f /etc/pf.confWhat else i tried ?
pfctl -F all -f /etc/pf.conf service pf restart service pf stop service pf start pfctl -d - disable pfctl -e - enableBut PF rule "...route-to..." doesn't working.
Analysis problem on side-B 192.168.40.10
I used tcpdump for check and capture packets on interfaces
- incoming packets on ipsec0 interface
- outgoing packets from vtnet0(ext_if) interface
# tcpdump -n -i ipsec0 icmp
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
18:36:15.965258 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 19, length 64
18:36:16.969836 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 20, length 64
18:36:17.983828 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 21, length 64
18:36:18.986824 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 22, length 64 # tcpdump -n -i vtnet0 icmp - here if i correct understand PF route-to rule must route packets from out vtnet0 and route in ipsec0 interface and dst ip 192.168.30.10
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:36:05.924095 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 9, length 64
18:36:06.924734 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 10, length 64
18:36:07.927318 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 11, length 64
18:36:08.929579 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 12, length 64
18:36:09.934936 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 13, length 64I decided check in general, does my solution work or not between side-A and side-B ?
Below how i checked.
I add route manually in table routing
route add any_external_ip 192.168.30.10Example IP - 200.100.100.200
route add 200.100.100.200 192.168.30.10Solution - work fine with static route.
Below tcpdump.
# tcpdump -n -i ipsec0 icmp
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type NULL (BSD loopback), capture size 262144 bytes
19:08:19.267201 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 1935, length 64
19:08:19.267216 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 1935, length 64
19:08:20.268954 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 1936, length 64
19:08:20.268985 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 1936, length 64
19:08:21.269307 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 1937, length 64
19:08:21.269328 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 1937, length 64
19:08:22.270202 IP 200.100.100.200 > 192.168.40.10: ICMP echo request, id 47757, seq 1938, length 64
19:08:22.270220 IP 192.168.40.10 > 200.100.100.200: ICMP echo reply, id 47757, seq 1938, length 64
8 packets captured
10 packets received by filter
0 packets dropped by kernel # tcpdump -n -i vtnet0 icmp
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packet capturedTest of solution - work, but doesn't universal variant.
Because needed dynamic access to any external ip
Why doesn't work PF route-to rule in pf.conf ?