Solved lagg failover device not working with my pf.conf any ideas ?

[NapoleonWils0n]

i have a lagg failover device set up on two machines
to automatically switch between wired and wireless when i unplug the ethernet cable

Chapter 34. Advanced Networking

Advanced networking in FreeBSD: basics of gateways and routes, CARP, how to configure multiple VLANs on FreeBSD, etc

docs.freebsd.org

however my pf.conf no longer works
it worked fine with the int_if set to ethernet device

i cant seem to find any documentation about using lagg and pf in the handbook

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them

docs.freebsd.org

and google isnt much use either

i have only changed 2 things

1 - int_if device in the pf.conf

int_if changed from

int_if="ue0" # usb to ethernet adaptor

int_if changed to

int_if="lagg0" # lagg0 failover

2 - lagg device set up in the rc.conf
listed below

i cant ping either machine
also trying to use netcat between the 2 machines using port 6881 also fails

nc -lv 6881

sockstat -l

USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
djwilcox nc         57507 3   tcp4   *:6881                *:*

to set up lagg failover the ethernet mac address is set to the mac address of the wifi card

i would have thought that its a pf issue
but ill be darned if i can figure out what it is

if anyone has any ideas on what the issue that would be great

here is the pf.conf which is the same on both machines

/etc/pf.conf

#=========================================================================#
# variables, macro and tables                                             #
#=========================================================================#

int_if="lagg0" # lagg0 failover
#int_if="ue0" # usb to ethernet adaptor
#int_if="bge0" # thunderbolt to ethernet adaptor
#int_if="wlan0" # iwlwifi
#int_if="wlan1" # ralink usb wifi
vpn_if="tun0" # vpn interface
all_networks="0.0.0.0/0"
vpn_network="$vpn_if:network"
# 6881, 6882 = transmission. 22000, 21025 = syncthing
tcp_services = "{ ntp, 6881, 22000 }" # tcp services - torrent
udp_services = "{ ntp, 6882, 21025 }" # udp services - torrent
icmp_types = "{ echoreq, unreach }"
tcp_state="flags S/SA keep state"
udp_state="keep state"

#table <internet> { $all_networks, !self, !$int_if:network } # internet
#table <lan> { $int_if:network, !self }                      # lan network
table <myself> { self }                                     # self
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
            172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
            192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
            203.0.113.0/24 }                         # broken networks

#=========================================================================#
# global policy                                                           #
#=========================================================================#

set block-policy drop
set loginterface $int_if
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in all fragment reassemble no-df max-mss 1440
# nat jail
nat on $int_if from {lo1:network} to any -> ($int_if)
antispoof log quick for { lo $int_if } label "block_spoofing"

#=========================================================================#
# block                                                                   #
#=========================================================================#

block log all # block log all
block return out quick inet6 all tag IPV6 # block ipv6
block in quick inet6 all tag IPV6 # block ipv6

# block broken networks - turned off for synergy
# block in quick from { <martians> no-route urpf-failed } to any tag BAD_PACKET

#=========================================================================#
# anchors                                                                 #
#=========================================================================#

# emerging threats - anchor
#anchor "emerging-threats"
#load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"

# openvpn - anchor
anchor "openvpn"

#=========================================================================#
# traffic tag                                                             #
#=========================================================================#

# icmp
pass inet proto icmp all icmp-type $icmp_types keep state tag ICMP

# Allow the tcp and udp services defined in the macros at the top of the file
pass in on $int_if inet proto tcp from any to ($int_if) port $tcp_services $tcp_state tag TCP_IN
pass in on $int_if inet proto udp from any to ($int_if) port $udp_services $udp_state tag UDP_IN

# outbound traffic
block out on $int_if all
pass out quick on $int_if all modulate state
#pass out quick on $int_if from <myself> to <lan> modulate state tag LAN_OUT
#pass out quick on $int_if from <myself> to <internet> modulate state tag INTERNET_OUT

routing table on Machine 1

netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS       lagg0
127.0.0.1          link#1             UH          lo0
192.168.1.0/24     link#3             U         lagg0
192.168.1.131      link#1             UHS         lo0

Machine 1 = Dell XPS 15 2019
Machine 2 = Macbook Air 2011

Machine 1 - rc.conf

# laggo failover device
# ethernet mac address set to wifi mac address
ifconfig_ue0="ether 78:2b:46:ee:27:a3"
wlans_iwlwifi0="wlan0"
ifconfig_wlan0="WPA"
create_args_wlan0="country GB"
cloned_interfaces="lagg0 lo1"
ifconfig_lagg0="up laggproto failover laggport ue0 laggport wlan0 DHCP"

Machine 2 - rc.conf

the ethernet mac address is set to the mac address of the wifi card

# laggo failover device - bwn                                        
# ethernet mac address set to wifi mac address                        
ifconfig_ue0="ether 04:0c:ce:d5:b0:ae"                                
cloned_interfaces="lagg0"                                            
wlans_bwn0="wlan0"                                                    
ifconfig_wlan0="WPA"                                                  
create_args_wlan0="country US regdomain FCC"                          
ifconfig_lagg0="up laggproto failover laggport ue0 laggport wlan0 DHCP"

Machine 1 config

GitHub - NapoleonWils0n/freebsd-root-xps: freebsd root dotfiles for dell xps 15 2019

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.

github.com

Machine 2 config

GitHub - NapoleonWils0n/freebsd-root: freebsd root dot files for mac air

freebsd root dot files for mac air. Contribute to NapoleonWils0n/freebsd-root development by creating an account on GitHub.

github.com

ifconfig on Machine 1

lo1 is for my jails you can ignore that

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 78:2b:46:ee:27:a3
    groups: wlan
    ssid Triangulum channel 11 (2462 MHz 11g) bssid 94:db:c9:78:9d:cb
    regdomain ETSI country GB authmode WPA2/802.11i privacy ON
    deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 bmiss 7
    scanvalid 60 protmode CTS wme roaming MANUAL
    parent interface: iwlwifi0
    media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
    status: associated
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 78:2b:46:ee:27:a3
    hwaddr 00:00:00:00:00:00
    inet 192.168.1.131 netmask 0xffffff00 broadcast 192.168.1.255
    laggproto failover lagghash l2,l3,l4
    laggport: wlan0 flags=5<MASTER,ACTIVE>
    groups: lagg
    media: Ethernet autoselect
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo1: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 10.10.0.1 netmask 0xffffff00
    inet 10.10.0.2 netmask 0xffffffff
    inet 10.10.0.3 netmask 0xffffffff
    inet 10.10.0.4 netmask 0xffffffff
    inet 10.10.0.6 netmask 0xffffffff
    inet 10.10.0.7 netmask 0xffffffff
    inet 10.10.0.8 netmask 0xffffffff
    inet 10.10.0.9 netmask 0xffffffff
    inet 10.10.0.10 netmask 0xffffffff
    inet 10.10.0.11 netmask 0xffffffff
    inet 10.10.0.12 netmask 0xffffffff
    inet 10.10.0.5 netmask 0xffffff00
    inet6 fe80::1%lo1 prefixlen 64 scopeid 0x4
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=80008<VLAN_MTU,LINKSTATE>
    ether 78:2b:46:ee:27:a3
    hwaddr 00:50:b6:10:e9:75
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

 

[NapoleonWils0n]

Euerka

found out why pf wasnt working with lagg and what the fix is

1- ifconfig after booting up when pf isnt working

ifconfig

lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=0
        ether 78:2b:46:ee:27:a3
        hwaddr 00:00:00:00:00:00
        inet 192.168.1.131 netmask 0xffffff00 broadcast 192.168.1.255
        laggproto failover lagghash l2,l3,l4
        laggport: wlan0 flags=0<>
        groups: lagg
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

2- ifconfig with pf working

can you spot the difference

lagg0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=0
        ether 78:2b:46:ee:27:a3
        hwaddr 00:00:00:00:00:00
        inet 192.168.1.131 netmask 0xffffff00 broadcast 192.168.1.255
        laggproto failover lagghash l2,l3,l4
        laggport: wlan0 flags=0<>
        laggport: ue0 flags=5<MASTER,ACTIVE>
        groups: lagg
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

the difference is this line in the second example

laggport: ue0 flags=5<MASTER,ACTIVE>

heres the fix

restart the lagg0 interface

doas service netif restart lagg0

then restart pf

doas service pf restart

after that both ping and netcat work

took a lot of detective work to figure out what the issue was and the fix

next step is to run the commands automatically rather than manually

have to look at SirDice's example
and do some reading up

Post in thread 'When is rc.local run?'

Apr 17, 2019

Your solution is going to be removed next time you run an update.

It's actually quite simple. And easier to maintain, just create a /usr/local/etc/rc.d/beep:

#!/bin/sh

# REQUIRE: NETWORKING sshd
# PROVIDE: beep

. /etc/rc.subr

name="beep"
rcvar="${name}_enable"
start_cmd="beep_start"

: ${beep_enable:="NO"}

load_rc_config $name

beep_start () {
        echo -e "\a"
}

run_rc_command "$1"

Make sure it's executable: chmod +x /usr/local/etc/rc.d/beep.

This will run when NETWORKING and sshd are done, you should have network access by that time. Enable it...

• SirDice

• 

 

[sko]

I suspect that usb-interface isn't ready when rc sets up the interfaces from rc.conf. TBH I wouldn't use anything USB-connected if it is critical for a system - USB is just way too unreliable and unpredictable.

That being said, for bridge interfaces there is the autobridge_interfaces option that will attach newly created interfaces to a bridge. I wonder if this could also be implemented for lagg interfaces...

 

[NapoleonWils0n]

none of my laptops have an ethernet port

so i have to use a usb ethernet adaptor

rc.d netif restart lagg0 and pf

Solved Thread 'rc.d netif restart lagg0 and pf'

Nov 27, 2024

im using a lagg failover device
with a usb ethernet adaptor

the issue is the lagg0 device doesnt pick up the ethernet device in ifconfig
( post at the bottom explains the problem in detail )

it should have this line under lagg0 in ifconfig

laggport: ue0 flags=5<MASTER,ACTIVE>

but it doesnt, probably because its a usb to ethernet adaptor
so i have to manually run the following commands after login to get pf working

doas service netif restart lagg0
doas service pf restart

i have to use netif to restart lagg0 and then restart pf
if you just restart netif it clears the routes...

• NapoleonWils0n

 

[NapoleonWils0n]

fix on link above

 

[cy@]

Sadly, laptops no longer have ethernet ports. My wife's new Acer doesn't have one, neither does my employer's HP 840 G9, though there is one in the base station. My HP 840 G5 has one in the laptop and in the base station. Even business laptops are built cheaper by the year.

 

[NapoleonWils0n]

The last laptop i had with an ethernet port was a black macbook 2008

My Dell XPS 15 2019 i got doesnt have an ethernet port but it does have an hdmi port

i found that thunderbolt ports work for things like thunderbolt to ethernet dongles
but only if you boot up with them plugged in

and if you unplug the thunderbolt connection it crashes the system

 

[cy@]

My employer's HP 840 G9 and my G5 have a BIOS setting to allow the thunderbolt ports to be used as USB 3.0 ports. These are business laptops which have features not found on commodity laptops. It's certainly handy.

 

[sko]

A missing network interface is an absolute dealbreaker for me. When I work with a laptop, 90% of the time I *have* to have it hooked up to a wired network, especially because I often need to access multiple VLANs, so the oh-so-glorious wifi is at its absolute best a very inconvenient workaround. I can't even remember when I actually used the wifi on my laptop the last time...

It's annoying enough that you have to fumble around with those horrible usb-c docks all the time, because vendors cheap out on proper USB ports nowadays, but also using that crap for networking is simply out of the question for me. A considerable portion of the time I'm using a laptop, I'm standing/sitting in front of a Rack and have to troubleshoot something - i.e. I need to hook up some serial console via USB and connect to a switch. I absolutely don't want both of those connections dangling on some wonky usb-hub that gets unplugged at every wrong movement, all while also being screamed at by servers and switches...
The Thinkpad T16 I got last year is barely doing that job, as it only has 2 USB-A ports (I already got a USB-C rollover-cable, but this thing works only with ~50% of switches...) and one is usually occupied by the yubikey that holds the GPG-keys I need for pretty much everything from passwords to SSH logins.
I really had high hopes in the framework laptops, but their solution to connectivity was/is "very sub-optimal", diplomaticly speaking. So I hope some other project might emerge and offer a proper workhorse-laptop with decent connectivity by the time I need a new one (hopefully I still have a good 4-5 years until I have to go on that quest...)