L2TP interface causes Traffic Shaping/ipfw rules to fail to load

[iMiMx]

Version OPNsense 17.7.7_1-amd64

It would appear that when there is an L2TP interface (I have not tested other Point to Point interfaces) the ipfw/traffic shaping ruleset fails to load in its entirity

root@fw00:~ # ipfw /usr/local/etc/ipfw.rules
Are you sure? [yn] y

Flushed all rules.
00100 allow pfsync from any to any
00110 allow carp from any to any
00120 allow ip from any to any layer2 mac-type 0x0806,0x8035
00130 allow ip from any to any layer2 mac-type 0x888e,0x88c7
00140 allow ip from any to any layer2 mac-type 0x8863,0x8864
00150 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
00200 skipto 60000 ip6 from ::1 to any
00201 skipto 60000 ip4 from 127.0.0.0/8 to any
00202 skipto 60000 ip6 from any to ::1
00203 skipto 60000 ip4 from any to 127.0.0.0/8
01002 skipto 60000 udp from any to 10.8.6.254 dst-port 53 keep-state
01002 skipto 60000 ip from any to { 255.255.255.255 or 10.8.6.254 } in
01002 skipto 60000 ip from { 255.255.255.255 or 10.8.6.254 } to any out
01002 skipto 60000 icmp from { 255.255.255.255 or 10.8.6.254 } to any out icmptypes 0
01002 skipto 60000 icmp from any to { 255.255.255.255 or 10.8.6.254 } in icmptypes 8
01003 skipto 60000 udp from any to 192.168.3.254 dst-port 53 keep-state
01003 skipto 60000 ip from any to { 255.255.255.255 or 192.168.3.254 } in
01003 skipto 60000 ip from { 255.255.255.255 or 192.168.3.254 } to any out
01003 skipto 60000 icmp from { 255.255.255.255 or 192.168.3.254 } to any out icmptypes 0
01003 skipto 60000 icmp from any to { 255.255.255.255 or 192.168.3.254 } in icmptypes 8
Line 53: hostname ``l2tp'' unknown

There are no rules trying to shape L2TP traffic, just part of the standard ruleset - removing the L2TP specified rules allows the ipfw ruleset to load and consequently traffic shaping can operate:

add 1005 skipto 60000 udp from any to l2tp dst-port 53 keep-state
add 1005 skipto 60000 ip from any to { 255.255.255.255 or l2tp } in
add 1005 skipto 60000 ip from { 255.255.255.255 or l2tp } to any out
add 1005 skipto 60000 icmp from { 255.255.255.255 or l2tp } to any out icmptypes 0
add 1005 skipto 60000 icmp from any to { 255.255.255.255 or l2tp } in icmptypes 8

Presumably 'l2tp' should be a macro for the l2tp1 interface IP address (however this is done in ipfw, am more pf familiar), or perhaps a via statement for the interface?

[AdSchellevis]

@edst it should have ignored the l2tp part for this section. can you try 6278fc0 ?

opnsense-patch 6278fc0

[fichtner]

This probably also needs “pptp”

…

On 31. Oct 2017, at 10:03, Ad Schellevis ***@***.***> wrote: @edst it should have ignored the l2tp part for this section. can you try 6278fc0 ? opnsense-patch 6278fc0 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[iMiMx]

That does the job, much obliged. Yes, looks like it needs PPTP as well for the same issue.

[AdSchellevis]

@iMiMx thanks for confirming