Hi Solene,
thanks, thats something I had also in mind.
But how can I address this ?
The system should come up by itself without any manual interaction.
--mirac
On Thu, 26 Jul 2018 at 12:07, Solene Rapenne <sol...@perso.pw> wrote:
>
> Thomas Huber <miracu...@gmail.com> wrote:
> > Hi misc,
> >
> > my current pf setup works fine but I face the problem, that NAT does not
> > work directly after system boot. Only when a do a
> >
> > # pfctl -f /etc/pf.conf
> >
> > after the booting things a working correctly.
> > Note: I don´t make any changes to pf.conf.
> >
> > Anybody any idea?
> >
> > General Setup:
> > Hardware: PCengines APU2c4
> > 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> > 2x pppoe(4): ADSL-uplink.
> >
> > Thanks!
> >
> > Here is the pf.conf:
> >
> > table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> > 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> > 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
> > 203.0.113.0/24 }
> > set block-policy drop
> > set skip on lo0
> > match in all scrub (no-df random-id max-mss 1440)
> > match out on pppoe0 from vlan:network nat-to (pppoe0)
> > match out on pppoe1 from vlan:network nat-to (pppoe1)
> > block in quick on pppoe from <martians> to any
> > block return out quick on pppoe from any to <martians>
> > block all
> > pass out quick inet
> >
> > pass out on vlan to vlan:network
> > pass in quick on vlan from vlan:network to vlan
> >
> > pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1
pppoe1:network)}
> > least-states sticky-address
> > pass in on vlan proto tcp to port https route-to {(pppoe0
pppoe0:network),
> > (pppoe1 pppoe1:network)} source-hash
> >
> > block return in on vlan from vlan64:network to vlan32:network
> > block return in on vlan inet proto tcp from any to any port 25
> > pass in on egress inet proto icmp all
> > pass in on egress inet proto tcp from any to (egress) port ssh
>
>
> I think it's due to pppoe0 not initialized when pf starts. Same thing
> happens using tun0 from OpenVPN for example.
