On Fri, Oct 6, 2017 at 5:25 PM, Charles Amstutz <charl...@infinitesys.com> wrote: > Should've also mentioned this oddity: > > So, if the firewall rules are uncommented (where I get the below error) > > no IP address found for pppx:network > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:106: could not parse host specification > > > And reboot, I can't connect. However, if I comment out those lines and then > save/reload then uncomment, I can connect just fine. > > > > > -----Original Message----- > From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of > Charles Amstutz > Sent: Friday, October 6, 2017 10:04 AM > To: 'misc@openbsd.org' <misc@openbsd.org> > Subject: Re: l2tp and openbsd 6.1 > > Hello Noth, > > > "Try pppx instead of pppx0, it'll work in pf.conf, including as a macro." > > I did!! I found another article that talked about the group. After reading > this: > http://frankgroeneveld.nl/2015/08/16/configuring-l2tp-over-ipsec-on-openbsd-for-mac-os-x-clients/ > > However, I still get this error if I try to reload the firewall and no vpn > client is established (thus the pppx group or pppx0 interface doesn't exist > yet)... this is the same if I use pppx or pppx0 > > > no IP address found for pppx:network > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx:network > /etc/pf.conf:106: could not parse host specification > > If I remove :network, the same errors: > > no IP address found for pppx > /etc/pf.conf:102: could not parse host specification no IP address found for > pppx > /etc/pf.conf:103: could not parse host specification no IP address found for > pppx > /etc/pf.conf:106: could not parse host specification > > > However, if I comment out those lines, connect, then uncomment out the > lines, things work as they should (it appears) > > It also seems as if I can't connect if I have those lines uncommented after a > reboot. > > Many strange things. > > Thanks for the help everyone, I'm going to continue to research.
You can't use :network for interface groups like pppx. If you want to filter on IP or subnet, why don't you just type the actual IP or subnet in pf.conf? -- :wq!
