PF Route-to in PF breaks pfil processing oder

Hello Everyone,

I am running FreeBSD 10.3-RELEASE-p7.

The setup that I have is, that I have 2 WAN interfaces and 1 LAN interface. I have configure both IPFW (for Traffic Shaping and Captive Portal) and PF for all other filtering and nat rules.

em0 - LAN
em1 - WAN1
em2 - WAN2

My scenario is that as soon as a connection is made to a website, IPFW catches this port 80 traffic and redirects it to a Captive Portal listening on port 9000 and then after authentication is successful via Captive Portal, the traffic is then passed onto PF for further processing.

Here are the relevant IPFW rules:
1. For Captive Portal
Code:
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em0
add 5000 allow ip from any to any dst-port 443 via em0
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em0
add 5000 allow ip from any to any dst-port 80 via em0
2. Allow authenticated traffic to PF
Code:
add 65533 pass ip from any to any
PF upon receiving these packets makes a connection to the website and it opens up.

As can be see from the rule below:
Code:
pass in quick on em0 inet from 172.16.1.0/24 to any flags S/SA keep state
Everything works pretty well.

However, as soon as I apply a route-to rule in PF, the processing order breaks. So now, no longer does IPFW get the port 80 traffic to be redirected to port 9000. It simply passes it outside.

PF rule with rout-to set:
Code:
pass in quick on em0 route-to (pppoe0 X.X.X.X) inet from 172.16.1.0/24 to any flags S/SA keep state.
I require the processing to be such that for incoming traffic, IPFW should process the packets first and then pass it on to PF. This works when route-to is not set.

Attached is a tcpdump, explaining the same.

Any help will be highly appreciated. I have been banging my head around this issue for days.
 

Attachments

  • Packet Capture.txt
    1,003 bytes · Views: 260
Don't enable both firewalls at the same time. Their interaction will make things highly unpredictable.
 
PfSense manages to do that properly in their captive portal (which is IPFW based) so you might ask around their forums and mailing lists how they do it.
 
They have added a feature in the kernel to tweak this order. One can then change the order using sysctl(8).

Code:
sysctl net.inet.ip.pfil

net.inet.ip.pfil.inbound=pf, ipfw*
net.inet.ip.pfil.outbound=pf, ipfw*
 
They have added a feature in the kernel to tweak this order. One can then change the order using sysctl(8).

Code:
sysctl net.inet.ip.pfil

net.inet.ip.pfil.inbound=pf, ipfw*
net.inet.ip.pfil.outbound=pf, ipfw*
Hi, i have same problem. Did you find any solution for this ?
I am curious about how to integrate that sysctl tunables to FreeBSD.
any help would be appreciated.

regards
 
Kristof Provost has stated several times on these forums that running two firewalls like this is not a supported configuration.
 
Back
Top