Thread: [pf or routing] No communication between networks
View Single Post
  #1   (View Single Post)  
Old 5th January 2019
apfelgluck apfelgluck is offline
Port Guard
  
Join Date: Sep 2016
Location: France
Posts: 14
Default [pf or routing] No communication between networks
Hello,


I have an problem with my gateway : the hosts on WiFi network can not reach the hosts on LAN network and vice versa.
According to my pf rules, it should work.
Does any one hae an idea ?


Below is a diagram of my simple network.
Code:
               +-----+
               +WiFi +
               +--+--+
		  |
+--------+    +---+---+    +---+
+Internet+----+Gateway+----+LAN+
+--------+    +-------+    +---+
WiFi network is 192.168.2.0/24.
LAN network is 192.168.0.0/24.

On the gateway, the interfaces are :
- athn0 for the WiFi,
- em0 for Internet,
- em1 for the LAN.


I replaced the IP addresses and netword with value and the MAC addresses with mac.


The routing table :
Code:
root@145 [12:36:08]:~$ route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            value              UGS      737 1392467194     -   8 em0
224/4              127.0.0.1          URS        0      328 32768     8 lo0
value/23           value              UCn        1        0     -     4 em0
value              mac                UHLch      1     5171     -     3 em0
value              mac                UHLl       0   340127     -     1 em0
value              value              UHb        0        0     -     1 em0
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0
127.0.0.1          127.0.0.1          UHhl       2     1938 32768     1 lo0
192.168.0/24       192.168.0.1        UCn        3    15944     -     4 em1
192.168.0.1        mac                UHLl       0   537223     -     1 em1
192.168.0.20       mac                UHLc       1  4024816     -     3 em1
192.168.0.30       mac                UHLc       1  2743949     -     3 em1
192.168.0.60       mac                UHLc       1 894938970     -    3 em1
192.168.0.255      192.168.0.1        UHb        0     1407     -     1 em1
192.168.2/24       192.168.2.1        UCn        0        5     -     8 athn0
192.168.2.1        mac                UHLl       0      648     -     1 athn0
192.168.2.255      192.168.2.1        UHb        0        0     -     1 athn0

Below is my pf ruleset.
Code:
#----------------------------
# Macros
#----------------------------


 EXT_IF="em0"
 LAN_IF="em1"
WIFI_IF="athn0"
LOOPBACK="lo"

 LAN="(em1:network)"
WIFI="(athn0:network)"

DOWNLOAD="176600K"
UPLOAD="9200K"

ICMP_TYPE="{ echoreq unreach }"

PORT_BITTORRENT="value"
PORT_FTP_PROXY="8021"
PORT_IN_SSH="value"
PORT_UNPRIV="1024:65535"

SERVER_DHCP="{ value value 255.255.255.255/32 }"
SERVER_P2P="192.168.0.60/32"
SERVER_SEEDBOX="value"


#----------------------------
# Tables
#----------------------------


table <ABUSIVE_IPv4> counters persist

# Last Updated : 2018-11-17
# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xml

table <MARTIANS> const counters persist { 0/8 10/8 100.64/10 127/8 169.254/16 172.16/12 192/24 192.0.0.0/29 192.0.0.8/32 192.0.0.170/32 192.0.0.171/32 192.0.2/24 192.88.99/24 192.168/16 198.18/15 198.51.100/24 203.0.113/24 240/4 }


#----------------------------
# Options
#----------------------------


set block-policy drop
set loginterface  $EXT_IF
set loginterface  $LAN_IF
set loginterface $WIFI_IF
set skip on $LOOPBACK


#----------------------------
# Scrub
#----------------------------


match all scrub (random-id reassemble tcp)


#----------------------------
# Quality of Service
#----------------------------


queue q_ext on $EXT_IF flows 1024 bandwidth $UPLOAD   max $UPLOAD   qlimit 1024 default
queue q_lan on $LAN_IF flows 1024 bandwidth $DOWNLOAD max $DOWNLOAD qlimit 1024 default


#----------------------------
# NAT & REDIRECTION
#----------------------------


anchor "ftp-proxy/*"

pass in quick on  $LAN_IF inet proto tcp from $LAN  to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY
pass in quick on $WIFI_IF inet proto tcp from $WIFI to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY

match out on $EXT_IF inet from !($EXT_IF) to any nat-to ($EXT_IF) port $PORT_UNPRIV

match in on $EXT_IF inet proto icmp from any to ($EXT_IF) rdr-to $SERVER_P2P
match in on $EXT_IF inet proto { tcp udp } from any to ($EXT_IF) port $PORT_BITTORRENT rdr-to $SERVER_P2P
match in on $EXT_IF inet proto tcp         from any to ($EXT_IF) port $PORT_IN_SSH     rdr-to $SERVER_P2P port ssh


#----------------------------
# Filtering
#----------------------------


# Gateway DHCP & IGMP
pass out quick on $EXT_IF inet proto udp from ($EXT_IF) port bootpc to $SERVER_DHCP port bootps
block    quick on $EXT_IF inet proto igmp


# Bad packets
block all
block quick inet6
block quick from <ABUSIVE_IPv4>
antispoof quick for { $EXT_IF $LAN_IF $WIFI_IF } inet
block out quick on $EXT_IF inet from any to { <MARTIANS> }
block in  quick on $EXT_IF inet from        { <MARTIANS> no-route urpf-failed } to any


# Gateway -> LAN
pass out on $LAN_IF inet proto icmp from ($LAN_IF) to $LAN icmp-type $ICMP_TYPE
pass out on $LAN_IF inet proto udp  from ($LAN_IF) port $PORT_UNPRIV to $LAN port 33433 >< 33626


# Gateway -> WiFi
pass out on $WIFI_IF inet proto icmp from ($WIFI_IF) to $WIFI icmp-type $ICMP_TYPE
pass out on $WIFI_IF inet proto udp  from ($WIFI_IF) port $PORT_UNPRIV to $WIFI port 33433 >< 33626


# LAN -> Gateway
pass in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to ($LAN_IF) port domain
pass in on $LAN_IF inet proto icmp from $LAN to ($LAN_IF) icmp-type $ICMP_TYPE
pass in on $LAN_IF inet proto udp from $LAN port { ntp $PORT_UNPRIV } to ($LAN_IF) port ntp
pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to ($LAN_IF) port ssh
pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to ($LAN_IF) port 33433 >< 33626


# LAN -> WiFi
pass in on $LAN_IF inet proto icmp from $LAN to $WIFI icmp-type $ICMP_TYPE tag LAN_WIFI
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to $WIFI port ssh tag LAN_WIFI
pass in on $LAN_IF inet proto udp  from $LAN port $PORT_UNPRIV to $WIFI port 33433 >< 33626 tag LAN_WIFI


# LAN -> Internet
pass in on $LAN_IF inet proto icmp from $LAN icmp-type $ICMP_TYPE tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to any port { http https smtp } tag LAN_INTERNET
pass in on $LAN_IF inet proto tcp  from $LAN port $PORT_UNPRIV to $SERVER_SEEDBOX port ssh     tag LAN_INTERNET
pass in on $LAN_IF inet proto udp  from $LAN port $PORT_UNPRIV to any port 33433 >< 33626      tag LAN_INTERNET


# WiFi -> Gateway
pass in on $WIFI_IF inet proto udp from { $WIFI 0.0.0.0/32 } port bootpc to { ($WIFI_IF) 192.168.2.255/32 255.255.255.255/32 } port bootps
pass in on $WIFI_IF inet proto { tcp udp } from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port domain
pass in on $WIFI_IF inet proto icmp from $WIFI to ($WIFI_IF) icmp-type $ICMP_TYPE
pass in on $WIFI_IF inet proto udp from $WIFI port { ntp $PORT_UNPRIV } to ($WIFI_IF) port ntp
pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port 33433 >< 33626


# WiFi -> LAN
pass in on $WIFI_IF inet proto icmp from $WIFI to $LAN icmp-type $ICMP_TYPE tag WIFI_LAN
pass in on $WIFI_IF inet proto udp  from $WIFI port $PORT_UNPRIV to $LAN port 33433 >< 33626 tag WIFI_LAN


# WiFi -> Internet
pass in on $WIFI_IF inet proto icmp from $WIFI icmp-type $ICMP_TYPE tag WIFI_INTERNET
pass in on $WIFI_IF inet proto tcp  from $WIFI port $PORT_UNPRIV to any port { http https } tag WIFI_INTERNET
pass in on $WIFI_IF inet proto udp  from $WIFI port $PORT_UNPRIV to any port 33433 >< 33626 tag WIFI_INTERNET


# BitTorrent (from SERVER_P2P -> Internet)
pass in on $LAN_IF inet proto tcp from $SERVER_P2P port $PORT_UNPRIV to any port $PORT_UNPRIV tag LAN_INTERNET
pass in on $LAN_IF inet proto udp from $SERVER_P2P port $PORT_UNPRIV to any port { http $PORT_UNPRIV } tag LAN_INTERNET
pass in on $EXT_IF inet proto icmp from any to $SERVER_P2P icmp-type $ICMP_TYPE tag INTERNET_LAN
pass in on $EXT_IF inet proto { tcp udp } from any port $PORT_UNPRIV to $SERVER_P2P port $PORT_BITTORRENT tag INTERNET_LAN
pass in on $EXT_IF inet proto tcp from any port $PORT_UNPRIV to $SERVER_P2P port ssh modulate state (max-src-conn 5, max-src-conn-rate 5/1, overload <ABUSIVE_IPv4> flush global) tag INTERNET_LAN


# Game & VoIP
anchor game in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to any
load anchor game from "/root/pf.game.conf"


# Gateway -> Internet
pass out on $EXT_IF inet proto { tcp udp } from ($EXT_IF) port $PORT_UNPRIV to any port domain
pass out on $EXT_IF inet proto icmp from ($EXT_IF) icmp-type $ICMP_TYPE
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port { http https smtp }
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port ntp
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag  LAN_INTERNET
pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag WIFI_INTERNET
pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port 33433 >< 33626


# Policies
pass out on $WIFI_IF modulate state tagged  LAN_WIFI
pass out on  $EXT_IF modulate state tagged  LAN_INTERNET
pass out on  $EXT_IF modulate state tagged WIFI_INTERNET
pass out on  $LAN_IF modulate state tagged INTERNET_LAN
pass out on  $LAN_IF modulate state tagged     WIFI_LAN


#----------------------------
# End of file
#----------------------------
Thanks for your advices.
Reply With Quote