Re: pf reply-to and dest mac address

Thu, 09 Jan 2020 23:51:27 -0800 

Hello,

Managed to figure it out.

Apparently one also need to specify the default gateway of the
interface in question (vlan10 in this case).

So this set works:
table <vlan10_gw> { 4.3.2.1 }
pass in quick on vlan10 proto icmp reply-to (vlan10 <vlan10_gw>)

Anyone has any idea why? From the generated rule it is obvious but the
above syntax leaves some things to be wanted.
# pfctl -vnf /etc/pf.conf | grep reply-to
pass in quick on vlan10 inet proto icmp all keep state (pflow)
reply-to 4.3.2.1@vlan10

On Thu, Dec 19, 2019 at 2:26 PM <open...@kene.nu> wrote:
>
> Hello,
>
> I am trying out the reply-to option in pf to force icmp echo replies
> back on the same interface (vlan10) where they came in.
>
> The problem I am seeing is that the destination mac address of the
> replies are set to ethernet next-hop of the default route (vlan11).
>
> Am I using this correctly?
>
> My ruleset:
> include '/etc/pf.d/tables.pf'
> set ruleset-optimization none
> set limit states 2000000
> set state-policy floating
> set block-policy return
> set state-defaults pflow
> pass in quick on vlan10 proto icmp reply-to vlan10
> block log (all, to pflog0) # Default block
> pass quick proto carp keep state (no-sync)
> block out quick on vlan10 from any to <rfc1918_networks>
> pass out on vlan10 label vlan10 # egress ISP1
> match out on vlan10 from <rfc1918_networks> to any nat-to carp10
> block out quick on vlan11 from any to <rfc1918_networks>
> pass out on vlan11 label vlan11
> match out on vlan11 from <rfc1918_networks> to any nat-to carp11 # NAT
> via carp11
> pass out quick on vlan10 proto icmp from vlan11 route-to (vlan11 <vlan11_gw>)
> pass out quick on vlan11 proto icmp from vlan10 route-to (vlan10 <vlan10_gw>)
> pass quick proto icmp
>
> Uname -a:
> # uname -a
> OpenBSD fw2 6.6 GENERIC.MP#3 amd64
>
> tcpdump:
> # tcpdump -eni vlan10 icmp
> tcpdump: listening on vlan10, link-type EN10MB
> 13:15:14.962096 00:24:c4:c0:b6:c0 3c:ec:ef:40:33:fc 0800 98: 1.1.1.1 >
> 4.3.2.2: icmp: echo request
> 13:15:14.962113 3c:ec:ef:40:33:fc 38:90:a5:73:c2:3f 0800 98: 4.3.2.2 >
> 1.1.1.1: icmp: echo reply
>
> arp:
> # arp -an | grep 00:24:c4:c0:b6:c0
> 4.3.2.1                       00:24:c4:c0:b6:c0  vlan10 19m25s
> # arp -an | grep 38:90:a5:73:c2:3f
> 1.2.3.4                        38:90:a5:73:c2:3f  vlan11 20m0s

Reply via email to