Hi all,
This is my first mail to an OpenBSD list, so I hope I chose the correct one.
I’m trying to get a GRE tunnel in combination with pf working a few days now
on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021)
If I disable pf with pfctl -d the connection is working and I can ping.
However as soon as I enable pf with pfctl -e the ping stops working (even with
a configuration that
should allow all traffic according my understanding)
The GRE interface looks like:
gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476
index 44 priority 0 llprio 6
encap: vnetid none txprio payload rxprio packet
groups: gre
tunnel: inet6 2a02:xxxx:yyy:zzz::1 --> 2a00:uuuu:vvvv:wwww::10 ttl 64
nodf ecn
inet6 fe80::20d:b9ff:fe44:ecdc%gre1051 --> prefixlen 64 scopeid 0x2c
inet6 2a01:qqq:rrrr:ss::2 --> prefixlen 128
The simplified pf-Rule looks like:
pass
pass on gre proto gre no state
tcpdump shows the following:
doas tcpdump -nvei gre0 ip6 and icmp6 or proto gre
tcpdump: listening on gre0, link-type LOOP
19:29:15.124113 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request
(id:9e45 seq:18) [icmp6 cksum ok] (len 64, hlim 64)
19:29:16.124438 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request
(id:9e45 seq:19) [icmp6 cksum ok] (len 64, hlim 64)
19:29:17.1248112a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request
(id:9e45 seq:20) [icmp6 cksum ok] (len 64, hlim 64)
and
doas tcpdump -nvei em0 ip6 and icmp6 or proto gre
tcpdump: listening on em0, link-type EN10MB
19:51:06.126497 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162:
2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd 2a01:qqq:rrrr:ss::2
> 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 seq:1329) (len 64, hlim 64)
[flowlabel 0x367f] (len 108, hlim 64)
19:51:07.126815 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162:
2a02:xxxx:yyy:zzz::11 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd
2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45
seq:1330) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64)
19:51:08.127252 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162:
2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd 2a01:qqq:rrrr:ss::2
> 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 seq:1331) (len 64, hlim 64)
[flowlabel 0x367f] (len 108, hlim 64)
And
doas tcpdump -nvei pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
19:55:03.962579 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0:
2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre
[] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243)
19:55:04.964864 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0:
2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre
[] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243)
19:55:05.963947 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0:
2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre
[] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243)
Thanks in advance for any hints on how to solve this issue
Best regards
Markus
