https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
--- Comment #39 from j...@netgate.com --- (In reply to Kevin Ong from comment #33) You're missing a couple sysctl OIDs. For the default enc0 filtering mode, use the following sysctl values: net.inet.ipsec.filtertunnel = 0x0000 net.inet6.ipsec6.filtertunnel = 0x0000 net.enc.out.ipsec_bpf_mask = 0x0001 net.enc.out.ipsec_filter_mask = 0x0001 net.enc.in.ipsec_bpf_mask = 0x0002 net.enc.in.ipsec_filter_mask = 0x0002 For if_ipsec filtering: net.inet.ipsec.filtertunnel = 0x0001 net.inet6.ipsec6.filtertunnel = 0x0001 net.enc.out.ipsec_bpf_mask = 0x0000 net.enc.out.ipsec_filter_mask = 0x0000 net.enc.in.ipsec_bpf_mask = 0x0000 net.enc.in.ipsec_filter_mask = 0x0000 (In reply to jeremy.mordkoff from comment #35) Since the sysctl oids mentioned in this thread control whether you filter only on *either* enc0 or the if_ipsec interfaces and not both at once, depending on the sysctl values, you need to setup rules on the if_ipsec interfaces to let the VTI traffic pass. At the moment, pfSense software doesn't have a way to let you do that. There is a patch on https://redmine.pfsense.org/issues/11395 which lets you choose to either filter on enc0 (for tunnel mode + basic VTI traffic) or filter on if_ipsec (full VTI filtering capabilities, including NAT, but drops all tunnel mode traffic). The VTI filtering mode exposes firewall rule tabs for assigned VTI interfaces which will allow you to do what you want. For info on how to use that or other issues specific to pfSense software you should post on the Netgate forum for assistance. I'd still prefer there be a way to do both at once, but at least having a choice in the behavior is better than it being completely broken. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
