|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
[pf or routing] No communication between networks
Hello,
I have an problem with my gateway : the hosts on WiFi network can not reach the hosts on LAN network and vice versa. According to my pf rules, it should work. Does any one hae an idea ? Below is a diagram of my simple network. Code:
+-----+ +WiFi + +--+--+ | +--------+ +---+---+ +---+ +Internet+----+Gateway+----+LAN+ +--------+ +-------+ +---+ LAN network is 192.168.0.0/24. On the gateway, the interfaces are : - athn0 for the WiFi, - em0 for Internet, - em1 for the LAN. I replaced the IP addresses and netword with value and the MAC addresses with mac. The routing table : Code:
root@145 [12:36:08]:~$ route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default value UGS 737 1392467194 - 8 em0 224/4 127.0.0.1 URS 0 328 32768 8 lo0 value/23 value UCn 1 0 - 4 em0 value mac UHLch 1 5171 - 3 em0 value mac UHLl 0 340127 - 1 em0 value value UHb 0 0 - 1 em0 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 2 1938 32768 1 lo0 192.168.0/24 192.168.0.1 UCn 3 15944 - 4 em1 192.168.0.1 mac UHLl 0 537223 - 1 em1 192.168.0.20 mac UHLc 1 4024816 - 3 em1 192.168.0.30 mac UHLc 1 2743949 - 3 em1 192.168.0.60 mac UHLc 1 894938970 - 3 em1 192.168.0.255 192.168.0.1 UHb 0 1407 - 1 em1 192.168.2/24 192.168.2.1 UCn 0 5 - 8 athn0 192.168.2.1 mac UHLl 0 648 - 1 athn0 192.168.2.255 192.168.2.1 UHb 0 0 - 1 athn0 Below is my pf ruleset. Code:
#---------------------------- # Macros #---------------------------- EXT_IF="em0" LAN_IF="em1" WIFI_IF="athn0" LOOPBACK="lo" LAN="(em1:network)" WIFI="(athn0:network)" DOWNLOAD="176600K" UPLOAD="9200K" ICMP_TYPE="{ echoreq unreach }" PORT_BITTORRENT="value" PORT_FTP_PROXY="8021" PORT_IN_SSH="value" PORT_UNPRIV="1024:65535" SERVER_DHCP="{ value value 255.255.255.255/32 }" SERVER_P2P="192.168.0.60/32" SERVER_SEEDBOX="value" #---------------------------- # Tables #---------------------------- table <ABUSIVE_IPv4> counters persist # Last Updated : 2018-11-17 # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xml table <MARTIANS> const counters persist { 0/8 10/8 100.64/10 127/8 169.254/16 172.16/12 192/24 192.0.0.0/29 192.0.0.8/32 192.0.0.170/32 192.0.0.171/32 192.0.2/24 192.88.99/24 192.168/16 198.18/15 198.51.100/24 203.0.113/24 240/4 } #---------------------------- # Options #---------------------------- set block-policy drop set loginterface $EXT_IF set loginterface $LAN_IF set loginterface $WIFI_IF set skip on $LOOPBACK #---------------------------- # Scrub #---------------------------- match all scrub (random-id reassemble tcp) #---------------------------- # Quality of Service #---------------------------- queue q_ext on $EXT_IF flows 1024 bandwidth $UPLOAD max $UPLOAD qlimit 1024 default queue q_lan on $LAN_IF flows 1024 bandwidth $DOWNLOAD max $DOWNLOAD qlimit 1024 default #---------------------------- # NAT & REDIRECTION #---------------------------- anchor "ftp-proxy/*" pass in quick on $LAN_IF inet proto tcp from $LAN to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY pass in quick on $WIFI_IF inet proto tcp from $WIFI to any port ftp divert-to 127.0.0.1 port $PORT_FTP_PROXY match out on $EXT_IF inet from !($EXT_IF) to any nat-to ($EXT_IF) port $PORT_UNPRIV match in on $EXT_IF inet proto icmp from any to ($EXT_IF) rdr-to $SERVER_P2P match in on $EXT_IF inet proto { tcp udp } from any to ($EXT_IF) port $PORT_BITTORRENT rdr-to $SERVER_P2P match in on $EXT_IF inet proto tcp from any to ($EXT_IF) port $PORT_IN_SSH rdr-to $SERVER_P2P port ssh #---------------------------- # Filtering #---------------------------- # Gateway DHCP & IGMP pass out quick on $EXT_IF inet proto udp from ($EXT_IF) port bootpc to $SERVER_DHCP port bootps block quick on $EXT_IF inet proto igmp # Bad packets block all block quick inet6 block quick from <ABUSIVE_IPv4> antispoof quick for { $EXT_IF $LAN_IF $WIFI_IF } inet block out quick on $EXT_IF inet from any to { <MARTIANS> } block in quick on $EXT_IF inet from { <MARTIANS> no-route urpf-failed } to any # Gateway -> LAN pass out on $LAN_IF inet proto icmp from ($LAN_IF) to $LAN icmp-type $ICMP_TYPE pass out on $LAN_IF inet proto udp from ($LAN_IF) port $PORT_UNPRIV to $LAN port 33433 >< 33626 # Gateway -> WiFi pass out on $WIFI_IF inet proto icmp from ($WIFI_IF) to $WIFI icmp-type $ICMP_TYPE pass out on $WIFI_IF inet proto udp from ($WIFI_IF) port $PORT_UNPRIV to $WIFI port 33433 >< 33626 # LAN -> Gateway pass in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to ($LAN_IF) port domain pass in on $LAN_IF inet proto icmp from $LAN to ($LAN_IF) icmp-type $ICMP_TYPE pass in on $LAN_IF inet proto udp from $LAN port { ntp $PORT_UNPRIV } to ($LAN_IF) port ntp pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to ($LAN_IF) port ssh pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to ($LAN_IF) port 33433 >< 33626 # LAN -> WiFi pass in on $LAN_IF inet proto icmp from $LAN to $WIFI icmp-type $ICMP_TYPE tag LAN_WIFI pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to $WIFI port ssh tag LAN_WIFI pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to $WIFI port 33433 >< 33626 tag LAN_WIFI # LAN -> Internet pass in on $LAN_IF inet proto icmp from $LAN icmp-type $ICMP_TYPE tag LAN_INTERNET pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to any port { http https smtp } tag LAN_INTERNET pass in on $LAN_IF inet proto tcp from $LAN port $PORT_UNPRIV to $SERVER_SEEDBOX port ssh tag LAN_INTERNET pass in on $LAN_IF inet proto udp from $LAN port $PORT_UNPRIV to any port 33433 >< 33626 tag LAN_INTERNET # WiFi -> Gateway pass in on $WIFI_IF inet proto udp from { $WIFI 0.0.0.0/32 } port bootpc to { ($WIFI_IF) 192.168.2.255/32 255.255.255.255/32 } port bootps pass in on $WIFI_IF inet proto { tcp udp } from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port domain pass in on $WIFI_IF inet proto icmp from $WIFI to ($WIFI_IF) icmp-type $ICMP_TYPE pass in on $WIFI_IF inet proto udp from $WIFI port { ntp $PORT_UNPRIV } to ($WIFI_IF) port ntp pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to ($WIFI_IF) port 33433 >< 33626 # WiFi -> LAN pass in on $WIFI_IF inet proto icmp from $WIFI to $LAN icmp-type $ICMP_TYPE tag WIFI_LAN pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to $LAN port 33433 >< 33626 tag WIFI_LAN # WiFi -> Internet pass in on $WIFI_IF inet proto icmp from $WIFI icmp-type $ICMP_TYPE tag WIFI_INTERNET pass in on $WIFI_IF inet proto tcp from $WIFI port $PORT_UNPRIV to any port { http https } tag WIFI_INTERNET pass in on $WIFI_IF inet proto udp from $WIFI port $PORT_UNPRIV to any port 33433 >< 33626 tag WIFI_INTERNET # BitTorrent (from SERVER_P2P -> Internet) pass in on $LAN_IF inet proto tcp from $SERVER_P2P port $PORT_UNPRIV to any port $PORT_UNPRIV tag LAN_INTERNET pass in on $LAN_IF inet proto udp from $SERVER_P2P port $PORT_UNPRIV to any port { http $PORT_UNPRIV } tag LAN_INTERNET pass in on $EXT_IF inet proto icmp from any to $SERVER_P2P icmp-type $ICMP_TYPE tag INTERNET_LAN pass in on $EXT_IF inet proto { tcp udp } from any port $PORT_UNPRIV to $SERVER_P2P port $PORT_BITTORRENT tag INTERNET_LAN pass in on $EXT_IF inet proto tcp from any port $PORT_UNPRIV to $SERVER_P2P port ssh modulate state (max-src-conn 5, max-src-conn-rate 5/1, overload <ABUSIVE_IPv4> flush global) tag INTERNET_LAN # Game & VoIP anchor game in on $LAN_IF inet proto { tcp udp } from $LAN port $PORT_UNPRIV to any load anchor game from "/root/pf.game.conf" # Gateway -> Internet pass out on $EXT_IF inet proto { tcp udp } from ($EXT_IF) port $PORT_UNPRIV to any port domain pass out on $EXT_IF inet proto icmp from ($EXT_IF) icmp-type $ICMP_TYPE pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port { http https smtp } pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port ntp pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag LAN_INTERNET pass out on $EXT_IF inet proto tcp from ($EXT_IF) port $PORT_UNPRIV to any port ftp tag WIFI_INTERNET pass out on $EXT_IF inet proto udp from ($EXT_IF) port $PORT_UNPRIV to any port 33433 >< 33626 # Policies pass out on $WIFI_IF modulate state tagged LAN_WIFI pass out on $EXT_IF modulate state tagged LAN_INTERNET pass out on $EXT_IF modulate state tagged WIFI_INTERNET pass out on $LAN_IF modulate state tagged INTERNET_LAN pass out on $LAN_IF modulate state tagged WIFI_LAN #---------------------------- # End of file #---------------------------- |
|
|||
Problem solved.
I forgot the pf principle of the last matching rule. It does now work fine after moving : - the section LAN -> WiFi after LAN -> Internet, - the section WiFi -> LAN after the section WiFi -> Internet. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Kazakhstan is going to MitM all TLS-encrypted communication | e1-531g | News | 0 | 9th January 2016 10:49 PM |
Security Specialists Oppose Access to Encrypted Communication | ocicat | News | 0 | 7th July 2015 04:12 PM |
capture serial communication with socat | darktrym | NetBSD General | 3 | 10th January 2015 10:50 PM |
pf interfering with local lan peer communication | tomp | OpenBSD Security | 3 | 2nd September 2011 09:12 PM |
Communication with su failed | amandus | OpenBSD Packages and Ports | 7 | 17th July 2008 07:17 AM |