Hi all, I got this information from Peter, which did the trick! I now have my complete rule-set with a block default policy working!
Thanks to David and Georg as well for their help! Best regards Markus > Begin forwarded message: > > From: "Peter J. Philipp" <[email protected]> > Subject: Re: GRE IP6/IP6 not working as soon as pf is enabled > Date: 16. January 2022 at 08:03:39 CET > To: Markus Wipp <[email protected]> > > Hi, > > You look like you might understand german so I have a german link for you: > > https://wiki.freifunk-franken.de/w/Benutzer:PeterPhilipp#GRE_konfigurieren_mit_pf_trick > > It seems that when the remote end is Linux that they put in an intermediate > header with an empty option into the GRE packet. The "allow-opts" option > should pass this in pf. > > Wish you best of luck! > > -peter > > On Sat, Jan 15, 2022 at 08:10:44PM +0100, Markus Wipp wrote: >> Hi all, >> >> This is my first mail to an OpenBSD list, so I hope I chose the correct one. >> >> I???m trying to get a GRE tunnel in combination with pf working a few days >> now >> on my OpenBSD (OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021) >> >> If I disable pf with pfctl -d the connection is working and I can ping. >> However as soon as I enable pf with pfctl -e the ping stops working (even >> with a configuration that >> should allow all traffic according my understanding) >> >> The GRE interface looks like: >> >> gre0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1476 >> index 44 priority 0 llprio 6 >> encap: vnetid none txprio payload rxprio packet >> groups: gre >> tunnel: inet6 2a02:xxxx:yyy:zzz::1 --> 2a00:uuuu:vvvv:wwww::10 ttl 64 >> nodf ecn >> inet6 fe80::20d:b9ff:fe44:ecdc%gre1051 --> prefixlen 64 scopeid 0x2c >> inet6 2a01:qqq:rrrr:ss::2 --> prefixlen 128 >> >> The simplified pf-Rule looks like: >> >> pass >> pass on gre proto gre no state >> >> tcpdump shows the following: >> >> doas tcpdump -nvei gre0 ip6 and icmp6 or proto gre >> tcpdump: listening on gre0, link-type LOOP >> 19:29:15.124113 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo >> request (id:9e45 seq:18) [icmp6 cksum ok] (len 64, hlim 64) >> 19:29:16.124438 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo >> request (id:9e45 seq:19) [icmp6 cksum ok] (len 64, hlim 64) >> 19:29:17.1248112a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo >> request (id:9e45 seq:20) [icmp6 cksum ok] (len 64, hlim 64) >> >> and >> >> doas tcpdump -nvei em0 ip6 and icmp6 or proto gre >> tcpdump: listening on em0, link-type EN10MB >> 19:51:06.126497 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd >> 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 >> seq:1329) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> 19:51:07.126815 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02:xxxx:yyy:zzz::11 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd >> 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 >> seq:1330) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> 19:51:08.127252 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: >> 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd >> 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:9e45 >> seq:1331) (len 64, hlim 64) [flowlabel 0x367f] (len 108, hlim 64) >> >> >> And >> >> doas tcpdump -nvei pflog0 >> tcpdump: WARNING: snaplen raised from 116 to 160 >> tcpdump: listening on pflog0, link-type PFLOG >> 19:55:03.962579 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> 19:55:04.964864 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> 19:55:05.963947 rule 0/(ip-option) [uid 0, pid 74650] pass in on em0: >> 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) >> gre [] 86dd [|ip6] [flowlabel 0xa8f7b] (len 116, hlim 243) >> >> >> Thanks in advance for any hints on how to solve this issue >> >> Best regards >> Markus >>
signature.asc
Description: Message signed with OpenPGP
