PF issues... So confused!

[jsutton78]

I'm having a strange PF issue that I can't seem to figure out. The basics are this... We have a 3 router configuration - 1 office router and 2 datacenter routers daisy chained together. We currently have everything up and working fine except a new subnet we just created. The new subnet works great passing through the office router to the other office subnets, and can even reach the first datacenter router. The problem starts when trying to reach the last router in the chain... Pings are successful, but any tcp traffic is refused. In troubleshooting we even enabled a "pass in all" rule to test, and traffic is still refused. We enabled "block in log (all)" and even with the pass in rule enabled, the source ip is still being logged in the block rule (and yes I know last match wins, so the pass in rule is after block in.)... Another thing is that traffic from the datacenter routers reaches the new subnet without any problems... Help please!

 

[pbd]

tcpdump -n -e -ttt -i pflog0

Can tell you which rule is blocking/passing the traffic. For example:

# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
000000 [color="Red"]rule 3/0[/color](match): pass in on bce0: 10.5.65.222 > 10.5.120.15: ICMP echo request, id 512, seq 36176, length 40

Tells you, that it is the fourth rule (counting starts at 0). So:

# pfctl -sr | egrep 'block|pass' | sed -n [color="Red"]4[/color]p
pass in log quick on bce0 inet proto icmp all