Thomas Huber <miracu...@gmail.com> wrote:
> Hi misc,
>
> my current pf setup works fine but I face the problem, that NAT does not
> work directly after system boot. Only when a do a
>
> # pfctl -f /etc/pf.conf
>
> after the booting things a working correctly.
> Note: I don´t make any changes to pf.conf.
>
> Anybody any idea?
>
> General Setup:
> Hardware: PCengines APU2c4
> 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> 2x pppoe(4): ADSL-uplink.
>
> Thanks!
>
> Here is the pf.conf:
>
> table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
> 203.0.113.0/24 }
> set block-policy drop
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 from vlan:network nat-to (pppoe0)
> match out on pppoe1 from vlan:network nat-to (pppoe1)
> block in quick on pppoe from <martians> to any
> block return out quick on pppoe from any to <martians>
> block all
> pass out quick inet
>
> pass out on vlan to vlan:network
> pass in quick on vlan from vlan:network to vlan
>
> pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
> least-states sticky-address
> pass in on vlan proto tcp to port https route-to {(pppoe0 pppoe0:network),
> (pppoe1 pppoe1:network)} source-hash
>
> block return in on vlan from vlan64:network to vlan32:network
> block return in on vlan inet proto tcp from any to any port 25
> pass in on egress inet proto icmp all
> pass in on egress inet proto tcp from any to (egress) port ssh
I think it's due to pppoe0 not initialized when pf starts. Same thing
happens using tun0 from OpenVPN for example.
