On 19/08/2021 19:01, Stefan Sperling wrote:
Any idea?
I suspect the packets towards vether0 are being dropped by pf.
What does your pf.conf look like?
I have been looking in that direction, and reduced my pf.conf to this:
----
default_tcp_ports="{ 22 }"
set block-policy return
set skip on lo0
set skip on bridge0
set skip on vether0
anchor tables
block drop # block stateless traffic
pass out # establish keep-state
anchor letsencrypt_traffic
pass in on cnmac2 inet proto icmp from 192.168.1.0/24 to \
( cnmac2 ) keep state
pass in on cnmac2 inet proto tcp from any to \
( cnmac2) port $default_tcp_ports flags S/SA keep state
----
Do you see anything related in tcpdump -n -i pflog0, provided you've
using 'log' statements on your block rules in pf.conf?
I wasn't, so I switched "block drop" for "block drop log", and I saw the
DHCP requests in the output of "tcpdump -n -i pflog0". First, it puzzled
me that PF was the culprit, when I had specified "set skip" on bridge0
and vether0. Then, I realised I didn't "set skip" on the physical
interfaces of the bridge, cnmac0 and cnmac1.
I still need to adjust things a bit, but thanks already for putting me
on the right track!
--
Étienne
