Hello,
Just a quick response to say it works now.
Stuart, I realised that there was a lot more problems with the rules
than you pointed out, my entire pf.conf was all over the place, I do not
know what I was thinking 6 months ago when the majority of this was written.
There was indeed a problem with the NAT, along with the external port
forwarding, and also the reason quick was not working is a funny one, if
you look at the /29 rules, you will see that I did:
pass in quick on $wan from $staticv4b1 to any keep state
Such a stupid mistake, you are not going to get inbound connections from
your own address from the WAN, I simply put it on the wrong side of the
"to", whoops. That is why the quick wasn't working and it was instead
being NAT'd, the quick would have prevented this issue but because it
did not satisfy the condition it went to the NAT, which NAT'd all inet
packets.
I see why Zack recommends L2 instead of L3, because L3 is a lot easier
to mess up.
Thanks for all the help Stuart, and thank you Zack for pointing out
vlans, it is something I should learn, and yes it is not a "complex"
topic, and is something I should learn if I want to become better at
networking, but how I have setup my network right now is how I wanted
it, but it doesn't mean I can't go mess with vlans in a virtual
environment for example. Also thank you for your offlisted emails.
I did say back at the beginning of the thread that I expected one small
issue to be causing this, little did I know it was a lot of small issues
which combined caused a bigger problem. If in doubt, re-read your
pf.conf 100x over until something jumps out at you, it was only when
Stuart pointed out some issues with the pf.conf I saw all the other
problems with it.
Zack, I would like to point out that asking for a second pair of eyes is
not spoonfeeding, and this thread went on longer than it should have
mainly because of me going off topic, so I apologise for dragging it
out, and thus causing noise on the mailing list.
For those who emailed Zack agreeing with him, I am sorry you feel that
way towards me. I would like to point out I have never meant to cause
any offense to anyone on the list, and I apologise for speaking
misinformation that was told to me from others, without validating what
they were saying is true.
Again thank you to Stuart for helping me out for the past few days, and
pointing out the blatant problem.
I do have one question, if anyone is willing to answer it, so I have on
and off specified "keep state" depending on when I wrote the rule, but
the following specifies it is the default:
https://www.openbsd.org/faq/pf/filter.html
So why do a lot of examples I see specify keep state if it is the
default, is there any benefit of specifying it which I am missing?
Have a good night,
--
Polarian
GPG signature: 0770E5312238C760
Website: https://polarian.dev
JID/XMPP: polarian@polarian.dev
No comments:
Post a Comment