Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
rdr action on GRE interface
« previous
next »
Print
Pages: [
1
]
Author
Topic: rdr action on GRE interface (Read 1775 times)
@Vorona
Newbie
Posts: 15
Karma: 0
rdr action on GRE interface
«
on:
April 10, 2022, 06:28:27 pm »
Hello!
I try to set up transparent proxy on my OS. I have a problem. My rdr rule is not works.
My situation:
There is 2 physical interfaces (LAN, WAN)
Several GRE interfaces.
Gre intefaces is "LAN segment". I try to add porf-forward rule to my firewall.
I got this rule in /tmp/rules.debug:
rdr pass on gre9 inet proto tcp from {any} to {87.250.250.242} port {80} -> 127.0.0.1 port 3128 #rule not works
This rule isn't works, and traffic goes directly from network, behind gre9 interface.
But, if I add same rule for LAN, from network, behind LAN interface all works:
rdr pass on gre9 inet proto tcp from {any} to {87.250.250.242} port {80} -> 127.0.0.1 port 3128 #rule works
I see, that rule not work on GRE interfaces. What I doing wrong?
Logged
@Vorona
Newbie
Posts: 15
Karma: 0
Re: rdr action on GRE interface
«
Reply #1 on:
April 10, 2022, 11:01:21 pm »
I found one more interesting thing:
None of all PF rules is not works on gre interfaces. All traffic just pass to any directions.
In statistic page I see, that all rdr rules on gre interfaces has 0 bytes/pkts (rules page). Also, I see very strange, that on gre interfaces has only outgoing traffic (in bytes/pkts is 0).
But in tcpdump I see traffif incoming and outgoing.
Logged
@Vorona
Newbie
Posts: 15
Karma: 0
Re: rdr action on GRE interface
«
Reply #2 on:
April 11, 2022, 07:42:55 pm »
I have new information:
This bug I can see if I set up gre tunnel over IPSec (site-to-site, tunnel mode). When I try to set up test pure GRE allrules works.
How fix it?
Logged
@Vorona
Newbie
Posts: 15
Karma: 0
Re: rdr action on GRE interface
«
Reply #3 on:
April 13, 2022, 10:22:30 am »
Hello!
I found one thing. If GRE terminated on IPSec tunnel ends traffic doesn't go to filter engine. But there is kernel options net.inet.ipsec.filtertunnel
Default is 0. That means, that pf not filters inbound traffic from tunnel interfaces, assigned with IPSec.
If I set this option to 1, all rules works. But I heve One more IPSec tunnel without GRE. This tunnel with this option drops outbond packets.
In internet I foud more kernel options, which can affect to this traffic:
net.enc.out.ipsec_bpf_mask
net.enc.out.ipsec_filter_mask
net.enc.in.ipsec_bpf_mask
net.enc.in.ipsec_filter_mask
What I need to set up for correct traffic flow: pure IPSec filtering in enc0, but gre over IPSec filtering in greN?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
rdr action on GRE interface