On 26 July 2018 at 13:01, Thomas Huber <miracu...@gmail.com> wrote:
> Hi misc,
>
> my current pf setup works fine but I face the problem, that NAT does not
> work directly after system boot. Only when a do a
>
> # pfctl -f /etc/pf.conf
>
> after the booting things a working correctly.
> Note: I don´t make any changes to pf.conf.
>
> Anybody any idea?
>
> General Setup:
> Hardware: PCengines APU2c4
> 2x vlan(4): vlan32 (private) vlan64 (wifi-guests)
> 2x pppoe(4): ADSL-uplink.
>
> Thanks!
>
> Here is the pf.conf:
>
> table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
> 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
> 203.0.113.0/24 }
> set block-policy drop
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 from vlan:network nat-to (pppoe0)
> match out on pppoe1 from vlan:network nat-to (pppoe1)
> block in quick on pppoe from <martians> to any
> block return out quick on pppoe from any to <martians>
> block all
> pass out quick inet
>
> pass out on vlan to vlan:network
> pass in quick on vlan from vlan:network to vlan
>
> pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)}
> least-states sticky-address
> pass in on vlan proto tcp to port https route-to {(pppoe0 pppoe0:network),
> (pppoe1 pppoe1:network)} source-hash
>
> block return in on vlan from vlan64:network to vlan32:network
> block return in on vlan inet proto tcp from any to any port 25
> pass in on egress inet proto icmp all
> pass in on egress inet proto tcp from any to (egress) port ssh
Hello,
as Solene mentioned, it's because the interface is not ready.
Maybe something like this (adapted from iked.conf manual page):
all rules that have pppoe mentioned, append (if-bound).
--
Regards,
Ville
