Hi,
It seems that since the latest update of PF in FreeBSD 14.1 mtr doesn't provide
a correct trace using the default. It works with the ``--udp` and `-T` options
so it doesn't seem to be an issue with the next hop. Also mtr works perfectly
on the firewall machine. Issue only happen on the nated machines on the lan
behind it. No issue with ipv6.
I tried to change the config or pass everything but I still reproduce the
issue. Any idea to troubleshoot/fix it is welcome :)
Eg of trace:
```
MacBook-Pro-de-Benoit-8.local (10.0.1.62) -> 1.1.1.1 (1.1.1.1)
2024-09-18T11:32:29+0200Keys: Help
Display mode Restart statistics Order of fields quit
Packets Pings
Host
Loss% Snt Last Avg Best Wrst StDev
1. 10.0.1.1
0.0% 11 4.7 6.4 3.6 22.6 5.7
2. (waiting for reply)
3. (waiting for reply)
4. (waiting for reply)
5. (waiting for reply)
6. one.one.one.one
0.0% 10 6.8 6.6 5.6 11.7 1.8
```
The configuration of PF is the following
```
table <lan> persist file "/etc/pf/lan.tbl"
IP_OUT = "<EDITED>"
ext_if = "vlan200"
vlan_ifs = "{ vlan10, vlan20, vlan30, vlan31, vlan110, vlan120 }"
# Macros
set block-policy drop
set skip on lo
# Options
scrub in all fragment reassemble # Normalize and reassemble fragmented packets
#scrub in all
# nat
nat from <lan> to !<lan> -> $IP_OUT
# Explicitly block unroutable addresses
antispoof quick for ($ext_if)
#pass proto icmp all
# Drop invalid packets
block in quick on $ext_if inet proto tcp all flags FUP/FUP # Dropping
invalid TCP packets
block in quick on $ext_if inet proto tcp all flags S/SAFRUP # Dropping weird
flags
# Allow all outgoing traffic from the internal network (LAN)
pass out on $ext_if from any to any keep state
# Allow incoming established and related connections (untracked)
pass in on $ext_if proto tcp from any to any flags S/SA modulate state
pass in on $ext_if proto { udp, icmp, icmp6 } from any to any keep state
# Allow ICMP traffic for mtr (Echo Request, Echo Reply, Time Exceeded)
pass in inet proto icmp icmp-type { echoreq, echorep, timex } keep state
pass out inet proto icmp icmp-type { echoreq, echorep, timex } keep state
```
I also tried a simpler version:
```
# Allow all outgoing traffic
pass out on $ext_if all
# Allow all incoming ICMP
pass in inet proto icmp from any to any
```
While no errors, mtr on the lan still doesn't work. I have also tried to log it
:
```
pass in log proto icmp all
```
but no log appears. I am clue less right now. It seems the error is related to
`ICMP time exceeded in-transit` but I thought the issue would be solved by the
configuration below. What I'm missing?
BenoƮt
