# PF seems not to be stateful in promiscuous mode



## nbari (Oct 20, 2017)

While creating some VM's with Bhyve + IPv6 I had to create a bridge and therefore the main network card had to be in promiscuous] `promisc` mode.

Eventually, I manage the VM's to work but start to notice a strange behavior (mainly timeouts and very slow responses) on the host while trying to update the packages or just fetching something/curl.

The server currently using PF and by checking the logs:


```
tcpdump -n -e -ttt -i pflog0 ip6
```

After doing some trafic like `pkg update` or a simple `curl google.com` I got this logs:


```
00:00:00.000000 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.53939: 19426 1/0/1 A 216.58.210.14 (55)
     00:00:00.400845 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.36699: 23499 1/0/1 A 216.58.210.14 (55)
     00:00:00.385682 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.25247: 22918 1/0/1 AAAA 2a00:1450:4001:81c::200e (67)
     00:00:00.400351 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.54634: 50020 1/0/1 AAAA 2a00:1450:4001:81c::200e (67)
     00:00:01.418975 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0
     00:00:00.300047 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0
```


For an unknown reason, all the returning traffic is being blocked, like if PF where not being stateful for ipv6, in `promisc` mode.

Important also to mention that despite the log entries, when curling a site that supports both `ipv4/ipv6`, it takes time but it does connect, the logs indeed only block the returning ipv6 traffic, seems like trying first ipv6 and fallbacks to ipv4.

This are the  `PF` rules I am using:



```
public_if = "igb0"
    public_tcp_ports = "{ 80 443 }"
    public_udp_ports = "{ 53 }"
    set block-policy drop
    set limit { states 1000000, frags 1000000, src-nodes 100000, table-entries 1000000 }
    set loginterface $public_if
    set optimization aggressive
    set skip on {lo0, bridge0, tap}
    set state-policy if-bound
    set timeout frag 30
    set timeout interval 10
    scrub in all fragment reassemble no-df max-mss 1440
    nat on $public_if from {172.16.8.0/21} to any -> ($public_if)
    antispoof log for $public_if
    block log all
    block in log quick from no-route to any
    block drop in log quick on $public_if inet proto tcp from any to any flags FUP/FUP
    pass in quick on $public_if proto tcp from any to any port $public_tcp_ports flags S/SA keep state
    pass in quick on $public_if proto udp from any to any port $public_udp_ports keep state
    pass in quick on $public_if proto {esp, ipencap} from any to any keep state
    pass in quick proto ipencap all
    icmp_types="{ echoreq, unreach }"
    pass inet proto icmp all icmp-type $icmp_types keep state
    pass proto ipv6-icmp from any to any
    pass out quick proto tcp all flags S/SA keep state
    pass out all keep state
```


Any idea of what could be done to not block the returning requests or make the system or to give preference to ipv4 over ipv6 so that hopefully that could avoid the delays. 

Thanks in advance.


----------

