Hello,
I want to change my firewall (FW) because it's not a freebsd machine.
The freebsd machine will become my new firewall.
The version is "13.2-RELEASE-p8 FreeBSD 13.2-RELEASE-p8 GENERIC amd64
I want to create a Wireguard VPN tunnel between my new firewall and the outside, but only for some PC in my network.
My network for test
FW - freebsd +- PC
|_ PC1
IP of FW
@WAN
192.168.150.242
IP of freebsd
192.168.150.29
192.168.50.242
IP of PCs
192.168.50.176
192.168.50.177
with pf.conf like
All is OK, all traffic pass in the VPN
Now, I add
I change the wg0.conf by adding route=1
I restart the network (service netif restart) and wireguard.
Now, I have 2 routage tables (FIBS)
The new pf.conf file is
I do a
In first test, a
from 192.168.50.176
from 192.168.50.177
The UDP act as I want
A second test
from 192.168.50.176 I never receive the html page.
The result of a tcpdump on my freebsd
from 192.168.50.177, I receive the html page.
Where is my error ?
Can you help me please ?
Thx
I want to change my firewall (FW) because it's not a freebsd machine.
The freebsd machine will become my new firewall.
The version is "13.2-RELEASE-p8 FreeBSD 13.2-RELEASE-p8 GENERIC amd64
I want to create a Wireguard VPN tunnel between my new firewall and the outside, but only for some PC in my network.
My network for test
FW - freebsd +- PC
|_ PC1
IP of FW
@WAN
192.168.150.242
IP of freebsd
192.168.150.29
192.168.50.242
IP of PCs
192.168.50.176
192.168.50.177
with pf.conf like
Code:
LAN="ue0"
VPN="wg0"
wg_ports="{48040}"
set skip on lo0
nat log on $VPN from $LAN:network -> $VPN
pass log quick ridentifier 4
All is OK, all traffic pass in the VPN
Now, I add
sysctl net.fibs=2
sysctl net.add_addr_allfibs=1
I change the wg0.conf by adding route=1
I restart the network (service netif restart) and wireguard.
Now, I have 2 routage tables (FIBS)
netstat -r4nF0
default 192.168.150.242 UGS re0
10.140.1.0/24 link#6 U wg0
10.140.1.24 link#6 UHS lo0
127.0.0.1 link#2 UH lo0
192.168.50.0/24 link#5 U ue0
192.168.50.242 link#5 UHS lo0
192.168.150.0/24 link#1 U re0
192.168.150.29 link#1 UHS lo0
netstat -r4nF1
default link#6 US wg0
10.140.1.0/24 link#6 U wg0
127.0.0.1 link#2 UH lo0
192.168.50.0/24 link#5 U ue0
192.168.50.242 link#5 UHS lo0
192.168.150.0/24 link#1 U re0
192.168.150.29 link#1 UHS lo0
The new pf.conf file is
Code:
LAN="ue0"
WAN="re0"
VPN="wg0"
wg_ports="{48040}"
table <ViaVPN> { }
ViaVPN = "<ViaVPN>"
set skip on lo0
nat log on $VPN from $ViaVPN -> $VPN
nat log on $WAN from ! $ViaVPN tagged outVPN -> $WAN
match in log on $LAN from ! $ViaVPN tag outVPN no state ridentifier 4101001 label "WAN - match " rtable 0
match in log on $LAN from $ViaVPN tag inVPN no state ridentifier 4101002 label "VPN - match " rtable 1
pass log quick ridentifier 4
I do a
pfctl -t ViaVPN -T add 192.168.50.176
so, I hope 192.168.50.176 pass in VPN and 192.168.50.177 notIn first test, a
traceroute www.meteociel.fr
from 192.168.50.176
Code:
traceroute to www.meteociel.fr (152.228.182.16), 64 hops max, 40 byte packets
1 pf (192.168.50.242) 0.874 ms 0.429 ms 0.487 ms
2 10.140.0.1 (10.140.0.1) 51.300 ms 51.485 ms 50.449 ms
...
16 meteociel.fr (152.228.182.16) 76.188 ms 75.054 ms 75.884 ms
from 192.168.50.177
Code:
traceroute to www.meteociel.fr (152.228.182.16), 64 hops max, 40 byte packets
1 192.168.50.242 (192.168.50.242) 0.436 ms 0.455 ms 0.435 ms
2 192.168.150.242 (192.168.150.242) 0.783 ms 0.666 ms 0.607 ms
...
14 meteociel.fr (152.228.182.16) 18.593 ms 18.312 ms 18.432 ms
The UDP act as I want
A second test
curl https://www.meteociel.fr
from 192.168.50.176 I never receive the html page.
The result of a tcpdump on my freebsd
Code:
tcpdump -vvvneti pflog0 host 152.228.182.16
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
rule 1/0(match) [ridentifier 4101002]: unkn(12) in on ue0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.50.176.38058 > 152.228.182.16.443: Flags [S], cksum 0x535b (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0
rule 2/0(match) [ridentifier 4]: pass in on ue0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.50.176.38058 > 152.228.182.16.443: Flags [S], cksum 0x535b (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0
rule 2/0(match) [ridentifier 4]: pass out on wg0: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.140.1.24.56652 > 152.228.182.16.443: Flags [S], cksum 0xf26d (correct), seq 3763380091, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1202541689 ecr 0], length 0
from 192.168.50.177, I receive the html page.
Where is my error ?
Can you help me please ?
Thx