Sunday, September 01, 2019

Re: Incoming connection via VLAN

> On xxx.xxx Sep 2019, at 12:33 am, Stuart Henderson <stu@spacehopper.org> wrote:
>
> On 2019-08-30, Felix Hanley <felix@userspace.com.au> wrote:
>> Hello all,
>>
>> My home internet connection (Internode Australia) has recently been
>> "upgraded" and is now delivered via vlan ID 2. Previously had the
>> following configuration which worked without issue:
>>
>> # cat /etc/hostname.em0
>> up
>>
>> # cat /etc/hostname.pppoe0
>> inet 0.0.0.0 255.255.255.255 NONE \
>> pppoedev em0 authproto pap \
>> authname 'XXXX@internode.on.net' \
>> authkey 'XXXX' up
>> dest 0.0.0.1
>> inet6 eui64
>> !/sbin/route add default -ifp pppoe0 0.0.0.1
>> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
>> !/etc/rc.d/dhcp6c restart
>> !/sbin/pfctl -ef /etc/pf.conf
>>
>> After working out the vlan stuff I now have the following:
>>
>> # cat /etc/hostname.em0
>> up
>>
>> # cat /etc/hostname.vlan2
>> vnetid 2 parent em0 txprio 1
>> up
>>
>> # cat /etc/hostname.pppoe0
>> inet 0.0.0.0 255.255.255.255 NONE \
>> llprio 1 mtu 1440 \
>> pppoedev vlan2 authproto pap \
>> authname 'XXXX@internode.on.net' \
>> authkey 'XXXX' up
>> dest 0.0.0.1
>> inet6 eui64
>> !/sbin/route add default -ifp pppoe0 0.0.0.1
>> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
>> !/etc/rc.d/dhcp6c restart
>> !/sbin/pfctl -ef /etc/pf.conf
>>
>> I am able to access the internet fine. My problem is incoming
>> connections are unable to access the OBSD router but are able to be
>> redirected to internal hosts just fine. There was no problems with this
>> prior to the vlan stuff. My stripped down pf.conf is:
>>
>> # cat /etc/pf.conf
>> egress = "pppoe0"
>> zappa = "10.0.1.2"
>>
>> set skip on lo
>> set skip on vlan2
>> set block-policy drop
>> set loginterface $egress
>>
>> queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default
>>
>> match in inet all scrub (no-df random-id)
>> match on $egress inet scrub (max-mss 1440)
>> # NAT all outbound IPv4 traffic from the rest of our network
>> match out on $egress inet from !($egress:network) to any nat-to ($egress:0)
>>
>> antispoof quick for lo
>>
>
> I'd suggest adding "block all" or "block log all" here. That way you can be
> sure that any traffic making it through the ruleset has been permitted by one
> of the following "pass" rules (which are stateful rules). Otherwise things
> might only be making it through due to the implicit default-permit rule
> which is not stateful.

Thank you, yes, I actually have that currently. With all the experimentation I failed to paste it into the email properly.

>
>> pass in on $egress proto { tcp udp } from any to ($egress) port { ssh
>> http https }
>> pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to
>> $zappa port ssh
>>
>> Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other
>> TCP) packets coming in on egress. I am confused that rdr-to works but
>> not connections to the router do not.
>>
>> Any help would be greatly appreciated.
>>
>> -felix
>>
>>
>
> It's odd that you don't see any TCP packets coming in on pppoe0 with
> tcpdump; does that even include port 51022 if you're connected via
> the rdr-to?

I have the simplest pf.conf now with NAT, default block all and a single pass for port 22. Outgoing connections work fine.
I can see incoming packets destined for port 22 but the ssh client just times out.
This is the tcpdump output on the server (pppoe0 parent is still the vlan2):

# tcpdump -nvvi pppoe0 port ssh
tcpdump: listening on pppoe0, link-type PPP_ETHER
22:48:07.975217 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: P [tcp sum ok] 3286752776:3286752812(36) ack 802539959 win 2048 <nop,nop,timestamp 1005614369 2548777125> [tos 0x48] (ttl 63, id 64547, len 88)
22:48:07.984046 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P [tcp sum ok] 1:37(36) ack 36 win 1035 <nop,nop,timestamp 2548809892 1005614369> (DF) [tos 0x8] (ttl 56, id 0, len 88)
22:48:07.985298 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P [tcp sum ok] 37:81(44) ack 36 win 1035 <nop,nop,timestamp 2548809892 1005614369> (DF) [tos 0x8] (ttl 56, id 0, len 96)
22:48:07.985333 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P [tcp sum ok] 81:133(52) ack 36 win 1035 <nop,nop,timestamp 2548809892 1005614369> (DF) [tos 0x8] (ttl 56, id 0, len 104)
22:48:07.985684 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 36:36(0) ack 37 win 2047 <nop,nop,timestamp 1005614387 2548809892> [tos 0x48] (ttl 63, id 51836, len 52)
22:48:07.986678 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 36:36(0) ack 81 win 2047 <nop,nop,timestamp 1005614388 2548809892> [tos 0x48] (ttl 63, id 27571, len 52)
22:48:07.987287 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 36:36(0) ack 133 win 2047 <nop,nop,timestamp 1005614388 2548809892> [tos 0x48] (ttl 63, id 47998, len 52)
22:48:08.306791 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: P [tcp sum ok] 36:80(44) ack 133 win 2048 <nop,nop,timestamp 1005614705 2548809892> [tos 0x48] (ttl 63, id 64091, len 96)
22:48:08.315519 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P 133:201(68) ack 80 win 1035 <nop,nop,timestamp 2548810223 1005614705> (DF) [tos 0x8] (ttl 56, id 0, len 120)
22:48:08.319338 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 80:80(0) ack 201 win 2046 <nop,nop,timestamp 1005614716 2548810223> [tos 0x48] (ttl 63, id 28558, len 52)
22:48:08.655410 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: P [tcp sum ok] 80:116(36) ack 201 win 2048 <nop,nop,timestamp 1005615043 2548810223> [tos 0x48] (ttl 63, id 942, len 88)
22:48:08.664213 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P [tcp sum ok] 201:245(44) ack 116 win 1035 <nop,nop,timestamp 2548810572 1005615043> (DF) [tos 0x8] (ttl 56, id 0, len 96)
22:48:08.667481 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 116:116(0) ack 245 win 2047 <nop,nop,timestamp 1005615061 2548810572> [tos 0x48] (ttl 63, id 26516, len 52)
22:48:14.901135 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P 245:353(108) ack 116 win 1035 <nop,nop,timestamp 2548816807 1005615061> (DF) [tos 0x8] (ttl 56, id 0, len 160)
22:48:14.901248 103.236.xxx.xxx.22 > 194.193.xxx.xxx.60497: P [tcp sum ok] 353:405(52) ack 116 win 1035 <nop,nop,timestamp 2548816807 1005615061> (DF) [tos 0x8] (ttl 56, id 0, len 104)
22:48:14.903387 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 116:116(0) ack 353 win 2046 <nop,nop,timestamp 1005621275 2548816807> [tos 0x48] (ttl 63, id 4672, len 52)
22:48:14.903436 194.193.xxx.xxx.60497 > 103.236.xxx.xxx.22: . [tcp sum ok] 116:116(0) ack 405 win 2047 <nop,nop,timestamp 1005621275 2548816807> [tos 0x48] (ttl 63, id 11209, len 52)

No comments:

Post a Comment