Hello,
I have an problem with my gateway : the hosts on WiFi network can not reach the hosts on LAN network and vice versa.
According to my pf rules, it should work.
Does any one hae an idea ?
Below is a diagram of my simple network.
Code:
+-----+
+WiFi +
+--+--+
|
+--------+ +---+---+ +---+
+Internet+----+Gateway+----+LAN+
+--------+ +-------+ +---+
WiFi network is 192.168.2.0/24.
LAN network is 192.168.0.0/24.
On the gateway, the interfaces are :
- athn0 for the WiFi,
- em0 for Internet,
- em1 for the LAN.
I replaced the IP addresses and netword with value and the MAC addresses with mac.
The routing table :
Code:
root@145 [12:36:08]:~$ route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default value UGS 737 1392467194 - 8 em0
224/4 127.0.0.1 URS 0 328 32768 8 lo0
value/23 value UCn 1 0 - 4 em0
value mac UHLch 1 5171 - 3 em0
value mac UHLl 0 340127 - 1 em0
value value UHb 0 0 - 1 em0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 1938 32768 1 lo0
192.168.0/24 192.168.0.1 UCn 3 15944 - 4 em1
192.168.0.1 mac UHLl 0 537223 - 1 em1
192.168.0.20 mac UHLc 1 4024816 - 3 em1
192.168.0.30 mac UHLc 1 2743949 - 3 em1
192.168.0.60 mac UHLc 1 894938970 - 3 em1
192.168.0.255 192.168.0.1 UHb 0 1407 - 1 em1
192.168.2/24 192.168.2.1 UCn 0 5 - 8 athn0
192.168.2.1 mac UHLl 0 648 - 1 athn0
192.168.2.255 192.168.2.1 UHb 0 0 - 1 athn0
Below is my pf ruleset.
Code:
#----------------------------
# Macros
#----------------------------
EXT_IF="em0"
LAN_IF="em1"
WIFI_IF="athn0"
LOOPBACK="lo"
LAN="(em1:network)"
WIFI="(athn0:network)"
DOWNLOAD="176600K"
UPLOAD="9200K"
ICMP_TYPE="{ echoreq unreach }"
PORT_BITTORRENT="value"
PORT_FTP_PROXY="8021"
PORT_IN_SSH="value"
PORT_UNPRIV="1024:65535"
SERVER_DHCP="{ value value 255.255.255.255/32 }"
SERVER_P2P="192.168.0.60/32"
SERVER_SEEDBOX="value"
#----------------------------
# Tables
#----------------------------
table <ABUSIVE_IPv4> counters persist
# Last Updated : 2018-11-17
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xml
table <MARTIANS> const counters persist { 0/8 10/8 100.64/10 127/8 169.254/16 172.16/12 192/24 192.0.0.0/29 192.0.0.8/32 192.0.0.170/32 192.0.0.171/32 192.0.2/24 192.88.99/24 192.168/16 198.18/15 198.51.100/24 203.0.113/24 240/4 }
#----------------------------
# Options
#----------------------------
set block-policy drop
set loginterface $EXT_IF
set loginterface $LAN_IF
set loginterface $WIFI_IF
set skip on $LOOPBACK
#----------------------------
# Scrub
#----------------------------
match all scrub (random-id reassemble tcp)
#----------------------------
# Quality of Service
#----------------------------
queue q_ext on $EXT_IF flows 1024 bandwidth $UPLOAD max $UPLOAD qlimit 1024 default
queue q_lan on $LAN_IF flows 1024 bandwidth $DOWNLOAD max $DOWNLOAD qlimit 1024 default
#----------------------------
# NAT & REDIRECTION
#----------------------------
anchor "ftp-proxy/*"
pass in quick on $LAN_IF inet proto tcp from $LAN to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY
pass in quick on $WIFI_IF inet proto tcp from $WIFI to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY
match out on $EXT_IF inet from !($EXT_IF) to any nat-to ($EXT_IF) port $PORT_UNPRIV
match in on $EXT_IF inet proto icmp from any to ($EXT_IF) rdr-to $SERVER_P2P
match in on $EXT_IF inet proto { tcp udp } from any to ($EXT_IF) port $PORT_BITTORRENT rdr-to $SERVER_P2P
match in on $EXT_IF inet proto tcp from any to ($EXT_IF) port $PORT_IN_SSH rdr-to $SERVER_P2P port ssh
#----------------------------
# Filtering
#----------------------------
# Gateway DHCP & IGMP
pass out quick on $EXT_IF inet proto udp from ($EXT_IF) port bootpc to $SERVER_DHCP port bootps
block quick on $EXT_IF inet proto igmp
# Bad packets
block all
block quick inet6
block quick from <ABUSIVE_IPv4>
antispoof quick for { $EXT_IF $LAN_IF $WIFI_IF } inet
block out quick on $EXT_IF inet from any to { <MARTIANS> }
block in quick on $EXT_IF inet from { <MARTIANS> no-route urpf-failed } to any
# Gateway -> LAN
pass out on $LAN_IF inet proto icmp from ($LAN_IF) to $LAN icmp-type $ICMP_TYPE
pass out on $LAN_IF inet proto udp from ($LAN_IF) port $PORT_UNPRIV to $LAN port 33433 >< 33626
# Gateway -> WiFi
pass out on $WIFI_IF inet proto icmp from ($WIFI_IF) to $WIFI icmp-type $ICMP_TYPE
pass out on $WIFI_IF inet proto udp from ($WIFI_IF) port $PORT_UNPRIV to $WIFI port 33433 >< 33626
# LAN -> Gateway
pass in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to ($LAN_IF) port domain
pass in on $LAN_IF inet proto icmp from $LAN to ($LAN_IF) icmp-type $ICMP_TYPE
pass in on $LAN_IF inet proto udp from $LAN port { ntp $PORT_UNPRIV } to ($LAN_IF) port ntp
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to ($LAN_IF) port ssh
pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to ($LAN_IF) port 33433 >< 33626
# LAN -> WiFi
pass in on $LAN_IF inet proto icmp from $LAN to $WIFI icmp-type $ICMP_TYPE tag LAN_WIFI
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to $WIFI port ssh tag LAN_WIFI
pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to $WIFI port 33433 >< 33626 tag LAN_WIFI
# LAN -> Internet
pass in on $LAN_IF inet proto icmp from $LAN icmp-type $ICMP_TYPE tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to any port { http https smtp } tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to $SERVER_SEEDBOX port ssh tag LAN_INTERNET
pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to any port 33433 >< 33626 tag LAN_INTERNET
# WiFi -> Gateway
pass in on $WIFI_IF inet proto udp from { $WIFI 0.0.0.0/32 } port bootpc to { ($WIFI_IF) 192.168.2.255/32 255.255.255.255/32 } port bootps
pass in on $WIFI_IF inet proto { tcp udp } from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port domain
pass in on $WIFI_IF inet proto icmp from $WIFI to ($WIFI_IF) icmp-type $ICMP_TYPE
pass in on $WIFI_IF inet proto udp from $WIFI port { ntp $PORT_UNPRIV } to ($WIFI_IF) port ntp
pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port 33433 >< 33626
# WiFi -> LAN
pass in on $WIFI_IF inet proto icmp from $WIFI to $LAN icmp-type $ICMP_TYPE tag WIFI_LAN
pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to $LAN port 33433 >< 33626 tag WIFI_LAN
# WiFi -> Internet
pass in on $WIFI_IF inet proto icmp from $WIFI icmp-type $ICMP_TYPE tag WIFI_INTERNET
pass in on $WIFI_IF inet proto tcp from $WIFI port $PORT_UNPRIV to any port { http https } tag WIFI_INTERNET
pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to any port 33433 >< 33626 tag WIFI_INTERNET
# BitTorrent (from SERVER_P2P -> Internet)
pass in on $LAN_IF inet proto tcp from $SERVER_P2P port $PORT_UNPRIV to any port $PORT_UNPRIV tag LAN_INTERNET
pass in on $LAN_IF inet proto udp from $SERVER_P2P port $PORT_UNPRIV to any port { http $PORT_UNPRIV } tag LAN_INTERNET
pass in on $EXT_IF inet proto icmp from any to $SERVER_P2P icmp-type $ICMP_TYPE tag INTERNET_LAN
pass in on $EXT_IF inet proto { tcp udp } from any port $PORT_UNPRIV to $SERVER_P2P port $PORT_BITTORRENT tag INTERNET_LAN
pass in on $EXT_IF inet proto tcp from any port $PORT_UNPRIV to $SERVER_P2P port ssh modulate state (max-src-conn 5, max-src-conn-rate 5/1, overload <ABUSIVE_IPv4> flush global) tag INTERNET_LAN
# Game & VoIP
anchor game in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to any
load anchor game from "/root/pf.game.conf"
# Gateway -> Internet
pass out on $EXT_IF inet proto { tcp udp } from ($EXT_IF) port $PORT_UNPRIV to any port domain
pass out on $EXT_IF inet proto icmp from ($EXT_IF) icmp-type $ICMP_TYPE
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port { http https smtp }
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port ntp
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag LAN_INTERNET
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag WIFI_INTERNET
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port 33433 >< 33626
# Policies
pass out on $WIFI_IF modulate state tagged LAN_WIFI
pass out on $EXT_IF modulate state tagged LAN_INTERNET
pass out on $EXT_IF modulate state tagged WIFI_INTERNET
pass out on $LAN_IF modulate state tagged INTERNET_LAN
pass out on $LAN_IF modulate state tagged WIFI_LAN
#----------------------------
# End of file
#----------------------------
Thanks for your advices.