Solved ipfw allow pppoe traffic (mac-type 0x8863, 0x8864)

[kktr]

Hello.

I've setup my server (FreeBSD 10.2) to serve as a NAS (using MPD5) for PPPOE clients. Everything works fine with the firewall turned off, so the obvious thing is to turn it on and create some rules. I wanted 3 things for a start.

1) allow all traffic comming out of the server and back (stateful)
2) allow ssh traffic to the server and back (stateful)
3) allow pppoe traffic to the server and back (stateful)

However I am unable to create a rule that would pass PPPOE traffc. I tried with various options, mac-type 0x8836, 0x8334, layer2, etc. Unsuccessfully. I would appreciate any pointers. Thanks!

# rc.conf
ifconfig_bge0="inet 10.1.1.2/24"
defaultrouter="10.1.1.1"
sshd_enable="YES"
mpd_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"

#enabled ipfw layer2 filtering
sysctl net.link.ether.ipfw=1

# /etc/ipfw.conf
ipfw -f flush
rule="ipfw -q add"
$rule 1 allow all from any to any via lo0
$rule 100 check-state
$rule 101 allow all from any to any layer2 mac-type arp keep-state
$rule 102 allow all from any to any in via bge0 layer2 mac-type 0x8863, 0x8864 keep-state
$rule 103 allow all from me to any out via bge0 keep-state
$rule 104 allow tcp from any to me 22 in via bge0 keep-state
# default deny

# mpd listening (never sees connection attempts with firewall on)
Sep  8 07:30:08 pppoe mpd: CONSOLE: listening on 127.0.0.1 5005
Sep  8 07:30:08 pppoe mpd: PPPoE: waiting for connection on bge0:, service "*"

 

[kktr]

As always, the reason is usually simple. In this case one of the devices that I took for testing was configured to use a VLAN, whereas my PPPOE server is listening on an untagged interface. Obviously removing the VLAN from the device makes it work. I don't even need to perform any layer2 filtering.