Saturday, August 31, 2019

Re: Incoming connection via VLAN

On 2019-08-30, Felix Hanley <felix@userspace.com.au> wrote:
> Hello all,
>
> My home internet connection (Internode Australia) has recently been
> "upgraded" and is now delivered via vlan ID 2. Previously had the
> following configuration which worked without issue:
>
> # cat /etc/hostname.em0
> up
>
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev em0 authproto pap \
> authname 'XXXX@internode.on.net' \
> authkey 'XXXX' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
>
> After working out the vlan stuff I now have the following:
>
> # cat /etc/hostname.em0
> up
>
> # cat /etc/hostname.vlan2
> vnetid 2 parent em0 txprio 1
> up
>
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> llprio 1 mtu 1440 \
> pppoedev vlan2 authproto pap \
> authname 'XXXX@internode.on.net' \
> authkey 'XXXX' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
>
> I am able to access the internet fine. My problem is incoming
> connections are unable to access the OBSD router but are able to be
> redirected to internal hosts just fine. There was no problems with this
> prior to the vlan stuff. My stripped down pf.conf is:
>
> # cat /etc/pf.conf
> egress = "pppoe0"
> zappa = "10.0.1.2"
>
> set skip on lo
> set skip on vlan2
> set block-policy drop
> set loginterface $egress
>
> queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default
>
> match in inet all scrub (no-df random-id)
> match on $egress inet scrub (max-mss 1440)
> # NAT all outbound IPv4 traffic from the rest of our network
> match out on $egress inet from !($egress:network) to any nat-to ($egress:0)
>
> antispoof quick for lo
>

I'd suggest adding "block all" or "block log all" here. That way you can be
sure that any traffic making it through the ruleset has been permitted by one
of the following "pass" rules (which are stateful rules). Otherwise things
might only be making it through due to the implicit default-permit rule
which is not stateful.

> pass in on $egress proto { tcp udp } from any to ($egress) port { ssh
> http https }
> pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to
> $zappa port ssh
>
> Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other
> TCP) packets coming in on egress. I am confused that rdr-to works but
> not connections to the router do not.
>
> Any help would be greatly appreciated.
>
> -felix
>
>

It's odd that you don't see any TCP packets coming in on pppoe0 with
tcpdump; does that even include port 51022 if you're connected via
the rdr-to?

No comments:

Post a Comment