23rd March 2011
|
Administrator
|
|
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
|
|
- All 10.x. networks are 10.x.0.0/24 except 10.8.0.0, which is 10.8.0.0/23. Is that correct?
- Names like ext_if, int_if and dev_if are defined, but the majority of the rules still use em0, em1 and em2. Makes it hard to understand
- What is the purpose of ?
Code:
block out on $IntIFs from <LocalNetworks>
Are you sure you the direction is correct?
Code:
i n t e r n e t
IN OUT
| /|\
| / | \
| |
| |
\ | / |
\|/ |
+---------|---------|----------+
| | | |
| +--------------------+ |
| | external interface | |
| +--------------------+ |
| | /|\ |
| | / | \ |
| | | |
| | PF | |
| | | |
| \ | / | |
| \|/ | |
| +--------------------+ |
| | internal interface | |
| +--------------------+ |
| | | |
+---------|---------|----------+
| /|\
| / | \
| |
\ | / |
\|/ |
OUT IN
l o c a l n e t w o r k
- The tcp rule for the VPN traffic is not assigned to any queue on em1.
Could this be the culprit?
Code:
pass out on em1 inet proto tcp all flags S/SA keep state
- I prefer to group the rules by interface and then by direction
Code:
# === EXTERNAL INTERFACE ===
# --- IN
rules for incoming traffic on external interface
# --- OUT
rules for outgoing traffic on external interface
# === INTERNAL INTERFACE ===
# --- IN
rules for incoming traffic on internal interface
# --- OUT
rules for outgoing traffic on internal interface
# === DEV INTERFACE ===
# --- IN
rules for incoming traffic on dev interface
# --- OUT
rules for outgoing traffic on dev interface
You could make an exception for the vlan rules, and keep these together as they are.
- Have you tried to use pfctl to view the queues and the queue stats
Code:
-s queue Show the currently loaded queue rules. When used
together with -v, per-queue statistics are also
shown. When used together with -v -v, pfctl will
loop and show updated queue statistics every five
seconds, including measured bandwidth and packets
per second.
- Does pfctl -vvs state show traffic that that is not being assigned to a queue, while it should?
- The vlan rules can be generated easily with a script. Here I add 'quick' and 'inet' so 'inet6' traffic will not be passed:
Code:
cat <<END
pass out quick on $ext_if tagged CLIENT1U queue client2_up
pass out quick on $ext_if tagged CLIENT2U queue client2_up
END
VLANS='2 3 4 5 6 7 8 9 10 11 12 13 14'
for X in ${VLANS} ; do
cat <<END
#pass in quick on vlan${X} inet from 10.${X}.0.0./24 to any
#pass out quick on vlan${X} inet from { (vlan${X}), (carp${X}) }
pass in quick on vlan${X} inet from 10.${X}.0.0/24 to any tag CLIENT2U queue client2_dn
pass out quick on vlan${X} inet from { (vlan${X}), (carp${X}) } queue client2_dn
END
done
This will produce
Code:
pass out quick on tagged CLIENT1U queue client2_up
pass out quick on tagged CLIENT2U queue client2_up
#pass in quick on vlan2 inet from 10.2.0.0./24 to any
#pass out quick on vlan2 inet from { (vlan2), (carp2) }
pass in quick on vlan2 inet from 10.2.0.0/24 to any tag CLIENT2U queue client2_dn
pass out quick on vlan2 inet from { (vlan2), (carp2) } queue client2_dn
#pass in quick on vlan3 inet from 10.3.0.0./24 to any
#pass out quick on vlan3 inet from { (vlan3), (carp3) }
pass in quick on vlan3 inet from 10.3.0.0/24 to any tag CLIENT2U queue client2_dn
pass out quick on vlan3 inet from { (vlan3), (carp3) } queue client2_dn
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|