I am having issues with being able to connect to remote hosts that are on my VPN network. From 172.16.1.1, I attempt to connect to port 22 on 172.16.10.1. I can ping 172.16.10.1 from 172.16.1.1. When I do so, PF on 172.16.1.1 blocks the traffic and the log shows:
My rules on 172.16.1.1 are as follows:
I would have thought the pass in quick on gif1 and pass out quick on gif1 would allow the traffic that PF is blocking, does anyone see anything obvious? 172.16.10.1 is access through 172.16.2.1, and 172.16.1.1 and 172.16.2.1 are connected via a IPsec VPN tunnel.
Code:
00:00:02.988936 rule 2..16777216/0(match): block in on gif1: 172.16.10.10.3389 > 172.16.1.204.60345: Flags [S.], seq 3184792111, ack
1547387879, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 19099025 ecr 12134732], length 0
My rules on 172.16.1.1 are as follows:
Code:
# MACROS
ext_if="re0"
int_if="re1"
internal_net="172.16.1.0/24"
# NORMALIZATION
scrub in all
# NETWORK ADDRESS TRANSLATION
nat on $ext_if from $internal_net to any -> ($ext_if)
# FILTERING
pass in all
pass out all
block in log all
pass quick on lo0 all
pass quick on $int_if all
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick on gif1 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick on gif1 from any to any
# ENABLE ICMP
pass in on $ext_if proto icmp all keep state
# IPV6
pass quick on gif0 proto icmp6 all keep state
pass out on $ext_if proto { tcp, udp, icmp } all keep state
I would have thought the pass in quick on gif1 and pass out quick on gif1 would allow the traffic that PF is blocking, does anyone see anything obvious? 172.16.10.1 is access through 172.16.2.1, and 172.16.1.1 and 172.16.2.1 are connected via a IPsec VPN tunnel.