From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 04:57:44 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 030631065670 for ; Sun, 11 Sep 2011 04:57:44 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 6C60B8FC13 for ; Sun, 11 Sep 2011 04:57:41 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p8B4vYAu004445 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 11 Sep 2011 06:57:34 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p8B4vWTj013824; Sun, 11 Sep 2011 06:57:33 +0200 (MEST) Date: Sun, 11 Sep 2011 06:57:32 +0200 From: Daniel Hartmeier To: Mario Lobo Message-ID: <20110911045732.GC29437@insomnia.benzedrine.cx> References: <201109101042.53575.lobo@bsd.com.br> <20110910160810.GB29437@insomnia.benzedrine.cx> <201109101917.30117.lobo@bsd.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201109101917.30117.lobo@bsd.com.br> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 04:57:44 -0000 Why do you have a tun0 interface on the NAT box? That's a virtual tunnel interface, not a physical interface. I thought the client (!= the NAT box) is the VPN endpoint. Not all encapsulation is done there, the NAT box is somehow involved in this? Daniel From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 14:18:11 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8A85106566B for ; Sun, 11 Sep 2011 14:18:11 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gx0-f179.google.com (mail-gx0-f179.google.com [209.85.161.179]) by mx1.freebsd.org (Postfix) with ESMTP id A97418FC08 for ; Sun, 11 Sep 2011 14:18:11 +0000 (UTC) Received: by gxk1 with SMTP id 1so2964911gxk.10 for ; Sun, 11 Sep 2011 07:18:11 -0700 (PDT) Received: by 10.236.72.169 with SMTP id t29mr21364905yhd.110.1315750690951; Sun, 11 Sep 2011 07:18:10 -0700 (PDT) Received: from papi.localnet ([177.17.68.103]) by mx.google.com with ESMTPS id 24sm11016446ano.10.2011.09.11.07.18.08 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Sep 2011 07:18:09 -0700 (PDT) From: Mario Lobo To: Daniel Hartmeier Date: Sun, 11 Sep 2011 11:17:38 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx> In-Reply-To: <20110911045732.GC29437@insomnia.benzedrine.cx> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109111117.38461.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 14:18:12 -0000 On Sunday 11 September 2011 01:57:32 you wrote: > Why do you have a tun0 interface on the NAT box? That's a virtual tunnel > interface, not a physical interface. Because the tun0 interface IS my ext_if. My ISP modem is in bridge mode and FBSD box gets the public IP via pppoe. > > I thought the client (!= the NAT box) is the VPN endpoint. Not all > encapsulation is done there, the NAT box is somehow involved in this? > > Daniel My home GW is my NAT box, and it is involved. It wasn't suppoesed to interfere but it it is. 1) Here is the map: My home workstation (FBSD amd64) | V My home GW (FBSD i386 NATting to a public IP on ppp/tun0) | V ISP ADSL modem in bridge mode | V INTERNET | V My work GW (FBSD amd64 w/MPD VPN server) | V My work LAN 2) What I am attempting that's not working (but used to work!) Establish a VPM from My home workstation TO My work GW 3) What works every single time Establishing a VPN from My home GW AS A CLIENT to My work GW, using an exact copy of mpd.conf from My home workstation. The fact that I can do it flawlessly from the GW itself but NOT from the My home LAN (or My work LAN for that matter), in my lame opinion, points straight at NAT. 4) Points of notice - My home GW is NOT a VPN server waiting for connections. - 2) MAY work in 1 out of 10 attempts. I don't know how to better explain this but it is as if I have to hit "a lucky timing spot". Sometimes, if I have an open ssh session from My home workstation to My work GW, that "seems to help" establish the VPN connection, but again, sometimes it doesn't "help"at all. - People on My work LAN are having the same kind of problem I'm having, to establish VPN tunnels to outside sites. The common point is that we're all behind FBSD gateways with pf. The condition that "sometimes it works, sometimes it doesn't" made me find this: http://readlist.com/lists/openbsd.org/misc/12/63348.html I don't know if it applies to my case but after days searching, it was the closest thing I could find. Thanks again. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 15:28:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 996421065670 for ; Sun, 11 Sep 2011 15:28:16 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [109.200.20.58]) by mx1.freebsd.org (Postfix) with ESMTP id E817F8FC0C for ; Sun, 11 Sep 2011 15:28:15 +0000 (UTC) Received: (qmail 75398 invoked from network); 11 Sep 2011 16:28:13 +0100 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenWIN7) (torsten@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 11 Sep 2011 16:28:13 +0100 From: "Torsten Kersandt" Cc: References: <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx> <201109111117.38461.lobo@bsd.com.br> In-Reply-To: <201109111117.38461.lobo@bsd.com.br> Date: Sun, 11 Sep 2011 16:27:14 +0100 Message-ID: <000f01cc7097$490022a0$db0067e0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcxwjazggwIMMU2KRu+ndIkOV2JSAwACQFew Content-Language: en-gb Subject: RE: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 15:28:16 -0000 > Why do you have a tun0 interface on the NAT box? That's a virtual tunnel > interface, not a physical interface. Because the tun0 interface IS my ext_if. My ISP modem is in bridge mode and FBSD box gets the public IP via pppoe. > > I thought the client (!= the NAT box) is the VPN endpoint. Not all > encapsulation is done there, the NAT box is somehow involved in this? > > Daniel My home GW is my NAT box, and it is involved. It wasn't suppoesed to interfere but it it is. 1) Here is the map: My home workstation (FBSD amd64) | V My home GW (FBSD i386 NATting to a public IP on ppp/tun0) | V ISP ADSL modem in bridge mode | V INTERNET | V My work GW (FBSD amd64 w/MPD VPN server) | V My work LAN 2) What I am attempting that's not working (but used to work!) Establish a VPM from My home workstation TO My work GW 3) What works every single time Establishing a VPN from My home GW AS A CLIENT to My work GW, using an exact copy of mpd.conf from My home workstation. The fact that I can do it flawlessly from the GW itself but NOT from the My home LAN (or My work LAN for that matter), in my lame opinion, points straight at NAT. 4) Points of notice - My home GW is NOT a VPN server waiting for connections. - 2) MAY work in 1 out of 10 attempts. I don't know how to better explain this but it is as if I have to hit "a lucky timing spot". Sometimes, if I have an open ssh session from My home workstation to My work GW, that "seems to help" establish the VPN connection, but again, sometimes it doesn't "help"at all. - People on My work LAN are having the same kind of problem I'm having, to establish VPN tunnels to outside sites. The common point is that we're all behind FBSD gateways with pf. The condition that "sometimes it works, sometimes it doesn't" made me find this: http://readlist.com/lists/openbsd.org/misc/12/63348.html I don't know if it applies to my case but after days searching, it was the closest thing I could find. Thanks again. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" Hi Mario Would it not be much easier to use VPN over SSL as with OpenVPN VPN as such has too many protocol dependencies. Having a VPN server for the standard windows user to dial in and use local resources is fine, but Bridging two networks OpenVPN is much easier and reliable for me here and in full use Regards Torsten From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 16:37:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 241C01065672 for ; Sun, 11 Sep 2011 16:37:04 +0000 (UTC) (envelope-from idl3mind@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id A60BD8FC12 for ; Sun, 11 Sep 2011 16:37:03 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so748383bkb.13 for ; Sun, 11 Sep 2011 09:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=references:from:in-reply-to:mime-version:date:message-id:subject:cc :content-type; bh=FK4ShGv0EqkrPPNHYYLKA3mdqxGeKRdhdQfPoijQrjM=; b=NrFFTcNOFCZir0XinAFT6BiPYDglna5j2eaotTH+UTrKE1curRptBjXOMQ6CD9rGHv Sk+RU8f26U9SJhxLC8WUX/sKB70sfngObrSp/NdutbCaOkCqpkq/N3/SW0BTaKbkcpt6 7FZ0WdFe3bP3+1fqIeshIx57kHu4wkVEa57vA= Received: by 10.204.131.147 with SMTP id x19mr1322527bks.202.1315757170835; Sun, 11 Sep 2011 09:06:10 -0700 (PDT) References: <201109091646.15327.lobo@bsd.com.br> <032f01cc6f35$162e1390$428a3ab0$@net> <201109091853.09133.lobo@bsd.com.br> From: Brad Tarver In-Reply-To: <201109091853.09133.lobo@bsd.com.br> Mime-Version: 1.0 (iPhone Mail 8L1) Date: Sun, 11 Sep 2011 11:06:03 -0500 Message-ID: <788356111728596465@unknownmsgid> Cc: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 16:37:04 -0000 I've not setup a freebsd VPN yet. Correct me if I'm wrong but for VPN use wouldn't you want to exclude your private subnets from NAT? -- Brad Tarver Sent from my iPhone 4 On Sep 9, 2011, at 4:55 PM, Mario Lobo wrote: > On Friday 09 September 2011 18:11:47 Torsten Kersandt wrote: >> HI Mario >> I don't know what the experts are suggesting but I use a table for the VPN >> addresses >> To allow nat but block them frm using the server as gateway ("use as >> default gateway" disabled in windows) >> I add the rules dynamically using mpd if-up and if-down scripts >> >> All I have in my rules is GRE pass anywhere and nat to and from >> where ever >> >> Regards >> Torsten >> > > Thanks for replying, Torsten but the problem is way before all these things > that you mentioned. I'm wildly guessing here but the problem seems to be > inside the NAT mechanism of PF. At least the working/not working situations > point to that direction. > > If I don't find a solution to that soon I am gonna have no choice but to > switch to IPFW, which I would not like to do because the queuing mechanisms of > pf are extremely useful and handy to my networks. > > By the way, I also do each item that you mentioned in your post. > > The funny thing is that there was a time (maybe a couple csups ago) that this > problem didn't occur, and I am totally unable to say which csup brought this > issue in. Remeber there are 3 FBSDs involved here. > > -- > Mario Lobo > http://www.mallavoodoo.com.br > FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) > >> >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On >> Behalf Of Mario Lobo >> Sent: 09 September 2011 20:46 >> To: freebsd-pf@freebsd.org >> Cc: freebsd-questions@freebsd.org >> Subject: VPN problem >> >> Hi; >> >> I've been having this problem establishing a VPN behind a FreeBSD 8-STABLE >> with pf. >> >> I have this scenario: >> >> >> home LAN ---- FBSD+pf home ---- INTERNET --- FBSD+pf work --- work LAN >> MPD VPN server >> >> nat rules on FBSD+pf home: >> >> >> nat on $ext_if from $int_if:network to any -> ($ext_if) port 1024:65535 >> # nat on $ext_if from any to any -> ($ext_if) port 1024:65535 >> >> >> obs- it makes no difference which nat rule I use. The problem persists. >> >> >> These are the first 5 pf rules on FBSD+pf home: >> >> # pass quick all >> pass quick on lo0 all >> >> # my whole home lan is free >> pass in quick on $int_if from $int_if:network to any >> >> #--- Allow networks to see themselves and dns >> pass quick from $int_if:network to $int_if:network >> >> #--- Allow vpns from anywhere to anywhere >> pass in quick log on $int_if proto gre from any to any keep state >> pass in quick log on $int_if proto tcp from any to any port pptp flags >> S/SA >> keep state >> >> >> >> On any attempt to connect to the FBSD+pf work VPN Server from home LAN, >> I get this (even if I uncomment pass quick all): >> >> #>mpd5 >> Multi-link PPP daemon for FreeBSD >> >> process 98799 started, version 5.5 (root@Papi 16:55 3-Sep-2011) >> CONSOLE: listening on 127.0.0.1 5005 >> web: listening on 127.0.0.1 5006 >> [B1] Bundle: Interface ng0 created >> [L1] [L1] Link: OPEN event >> [L1] LCP: Open event >> [L1] LCP: state change Initial --> Starting >> [L1] LCP: LayerStart >> [L1] PPTP call successful >> [L1] Link: UP event >> [L1] LCP: Up event >> [L1] LCP: state change Starting --> Req-Sent >> [L1] LCP: SendConfigReq #1 >> [L1] ACFCOMP >> [L1] PROTOCOMP >> [L1] ACCMAP 0x000a0000 >> [L1] MRU 1486 >> [L1] MAGICNUM 2d08ae01 >> >> [snip..] >> >> [L1] LCP: SendConfigReq #10 >> [L1] ACFCOMP >> [L1] PROTOCOMP >> [L1] ACCMAP 0x000a0000 >> [L1] MRU 1486 >> [L1] MAGICNUM 2d08ae01 >> [L1] LCP: parameter negotiation failed >> [L1] LCP: state change Req-Sent --> Stopped >> [L1] LCP: LayerFinish >> [L1] PPTP call terminated >> [L1] Link: DOWN event >> [L1] LCP: Close event >> [L1] LCP: state change Stopped --> Closed >> [L1] LCP: Down event >> [L1] LCP: state change Closed --> Initial >> >> >> BUT, on the 9th or 10th attempt, without touching any setting anywhere, the >> VPN MAY BE established. out of nothing ! Machines (Windows, Unix, whatever) >> behind both FBSD+pfs ALSO have the same problem when trying to close VPN >> tunnels to outside sites. >> >> Sometimes, opening an ssh session from my workstation to FBSD+pf work may >> "help" in establishing the VPN. >> >> The FBSD+pf work VPN Server is working fine. My colleagues can connect to >> it >> >> from their homes (NATted cable modems or 3G modems) without problems. I am >> the >> only one behind a FBSD+pf router. >> >> >> I installed MPD5 on FBSD+pf home, and copied mpd.conf from my home >> workstation >> to it. >> >> >> Without touching a single setting on mpd.conf, the VPN is established >> from FBSD+pf home (as a client) to FBSD+pf work WITHOUT any hiccups on >> EVERY >> >> SINGLE attempt! even I bring it up/down 200 times! >> >> And yet, if the FBSD+pf combo is out of the way, (i.e. no NAT!, as is the >> case >> of FBSD+pf home as a client) or if I let my cable modem do the NAT/routing, >> the problem is GONE!. >> >> >> FreeBSD work >> FreeBSD 8.2-STABLE #0: Mon Aug 22 14:50:42 BRT 2011 amd64 >> >> FreeBSD Home >> FreeBSD FreeBSD 8.2-STABLE #0: Wed May 18 16:53:26 BRT 2011 i386 >> >> Any suggestions? >> >> Thanks, > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Sep 11 22:40:57 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E592106564A for ; Sun, 11 Sep 2011 22:40:57 +0000 (UTC) (envelope-from pingmai@yahoo.com) Received: from nm12-vm2.bullet.mail.ne1.yahoo.com (nm12-vm2.bullet.mail.ne1.yahoo.com [98.138.91.88]) by mx1.freebsd.org (Postfix) with SMTP id 6366D8FC08 for ; Sun, 11 Sep 2011 22:40:57 +0000 (UTC) Received: from [98.138.90.56] by nm12.bullet.mail.ne1.yahoo.com with NNFMP; 11 Sep 2011 22:27:21 -0000 Received: from [98.138.88.233] by tm9.bullet.mail.ne1.yahoo.com with NNFMP; 11 Sep 2011 22:27:21 -0000 Received: from [127.0.0.1] by omp1033.mail.ne1.yahoo.com with NNFMP; 11 Sep 2011 22:27:21 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 181848.50803.bm@omp1033.mail.ne1.yahoo.com Received: (qmail 93034 invoked by uid 60001); 11 Sep 2011 22:27:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315780041; bh=WJ+H1Bt3gBe5LuVPEfVKu6HHhFhRx4XGTrTW/FyP954=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=cS1Z8Uxy8VfXvhMffEIDCizSxBy1JI8g202jZ3WQszQPrk7Y13NcK4VjR/aSKIhR1dLSrbs7lpOh45P0LGoHDFdVTXniqwV5QaYT5tLohHJwA3+6DdJ/m7llUs5rdvioKe6gRyH3/aMU/KNkvHm3NNuzIYia4PzSYUIJcTdm5Tc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=PyzK3B7+f6NVHT5GpFOGqM9nWJuV7/86YEpcQZ/OgJAcpBcmlq9EufumkFOPWzTW99s7iAxygnLGaOY+Q34OCHVnSYhQcjbvRNo+qx2korh3GwgODf+zPd6BxeaeacdmErqwa7SqGgSByMiFVAiM8JLUa0oz6MFjQEdwA8Dpzog=; X-YMail-OSG: FXrpsWEVM1lSgsOTm1PDwBARQqRgQTM5PuTHazp7GOIZJ6W J.XVMw4Qq3X4MUJKFpDQ4W.gJ8GhL.Ffgy99c0CePZTQERbfaGOCNw_BJS33 34sEiGz_qxd87Ccmd5SMPCu11ydc.aJ01qTnOvf8s64OxQ7RZZk4jZxE8Qzm KHMIE1tDbVI3iXJLUF0i9eqwn9t1.4d5lEL2b7Naoxv7mAgo4SNEBpGk31kI pJG1XqUqAXEMrPrflJHNoj2kN2SM52ATZepPLKy1VzpvyqLotspGq3nDzvnZ 9gCpY81Y9fJkRcsRG0cSv63GGhuTlYHWSRjI47CWBlLZUrolAV80qDOHgUpO qKVnr2lDwXue38UfwThn._jNRoFtyPjLrzUcCCv_pdkzuY18Uk87teJvgEzd eIXLViqdzRWmgmBE1X6xPvJ78G9H2t2_LYqKAxybhUZ20HkuJz48L3LituYw DKmeHblh2EQ3exT2alRr7IQ.beHJLcWOwgGkumKGRg6pImAZ5RhSvVMBWJJW YM0qNV9Bo3BByBuJxhovlRFwcVI4Lq6vmXIfHKmadNhbvuyHKuLMay6CMkbZ TMBD7OBITfeImEuQRI85.lefyGbQFC9fiYfs- Received: from [67.180.178.51] by web121719.mail.ne1.yahoo.com via HTTP; Sun, 11 Sep 2011 15:27:20 PDT X-Mailer: YahooMailWebService/0.8.113.315625 Message-ID: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> Date: Sun, 11 Sep 2011 15:27:20 -0700 (PDT) From: Ping Mai To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: slow X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ping Mai List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2011 22:40:57 -0000 Hi, =0A=0AI'm new to pf.=A0 hoping for some help with pf.conf.=0A=0AFreeBSD= 5.5 router.=A0 2 external interfaces, $com_if and $dsl_if.=A0 The default = route is set to $com_if.=0A=0Aincoming smtp to $com_if seems to work fine.= =0A=0A=0Aincoming smtp to $dsl_if is the problem.=A0 connect to tcp/25 is f= ast.=A0 but after I issue a 'ehlo ...'=A0 there's a delay of ~1 minute befo= re the reply comes back.=A0 from that point on the exchange works just fine= .=0AThe problem is most MTA don't wait that long.=A0 they simply drop the c= onnection.=0A=0Atcpdump of pflog0 sees the incoming tcp/25, outgoing from t= cp/25 gets routed to $dsl_if (dc3).=A0 after that, looks like it does an 'i= dent' and a DNS lookup. then it just sits there for minutes.=0A=0Awhat's wr= ong with my pf.conf?=0A=0A#----------------- tcpdump ------------------=0A= =0A000000 rule 16/0(match): pass in on dc3: IP 100.100.100.153.63225 > 12.3= 4.56.40.25: S 743439640:743439640(0) win 65535 =0A000083 rule 28/0(match): pass out on dc0: IP 12.34.56.40.25 > 100.100.= 100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 =0A000023 rule 12/0(match): pass out on dc3: IP 12.34.= 56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 = win 65535 =0A080881 rule 28/0(match): pass ou= t on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:14684815= 50(0) win 65535 =0A000027 rule 12/0(match):= pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:= 1468481550(0) win 65535 =0A082959 rule 13/0= (match): pass out on dc0: IP 23.45.67.51.62568 > 23.45.57.182.53:=A0 50336+= [1au][|domain]=A0 =0A=0A#------------------ pf.conf ----------------------= --------------------------------=0Aint_if =3D "dc1"=0A=0Adsl_if =3D "dc3"= =0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D "10.1.100.0/24"=0Admz_= net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0Acom_gw=3D"23.45.67.1"= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # default rout= e=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ http https }"=0A=0Aic= mp_types=3D"echoreq"=0A=0Atable { $int_net, $dmz_net }=0A=0Aset = loginterface $dsl_if=0Aset loginterface $com_if=0Aset optimization normal= =0Aset block-policy return=0Aset require-order yes=0A=0A=0Ascrub in all=0An= at on $dsl_if from -> $dsl_if=0Anat on $com_if from -= > $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to $dsl_if port $tcp_= services -> $iserver=0Ardr pass on $com_if proto tcp from any to $com_if po= rt $tcp_services -> $iserver=0A=0Ablock out log all=0Ablock in log all=0Apa= ss quick on lo0=0A=0Aantispoof quick for { lo0 $dsl_if $com_if $dmz_if $int= _if}=0A=0Apass out log on $dsl_if=0Apass out log on $com_if=0A=0Apass log o= n $int_if keep state=0Apass log on $dmz_if from any to ! $int_if:network ke= ep state=0A=0Apass in log on $dsl_if proto tcp to $dsl_if port { smtp, smtp= s }=0Apass in log on $com_if proto tcp to $com_if port { smtp, smtps }=0Apa= ss in on $dsl_if proto { tcp, udp } to $dsl_if port {domain}=0Apass in on $= com_if proto { tcp, udp } to $com_if port {domain}=0Apass in on $com_if pro= to { tcp, udp } to port {bootpc}=0A=0Apass in inet proto icmp all icmp-type= $icmp_types=0A=0Apass out log on $dsl_if route-to ($com_if $com_gw) from $= com_if=0Apass out log on $com_if route-to ($dsl_if $dsl_gw) from $dsl_if=0A= #------------------------------------------------------------------------ From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 02:35:25 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 330D0106564A for ; Mon, 12 Sep 2011 02:35:25 +0000 (UTC) (envelope-from pingmai@yahoo.com) Received: from nm8-vm4.bullet.mail.ne1.yahoo.com (nm8-vm4.bullet.mail.ne1.yahoo.com [98.138.91.168]) by mx1.freebsd.org (Postfix) with SMTP id CF7458FC08 for ; Mon, 12 Sep 2011 02:35:24 +0000 (UTC) Received: from [98.138.90.52] by nm8.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 Received: from [98.138.89.248] by tm5.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 Received: from [127.0.0.1] by omp1040.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 167691.38720.bm@omp1040.mail.ne1.yahoo.com Received: (qmail 1480 invoked by uid 60001); 12 Sep 2011 02:35:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315794924; bh=wgYZP14tq/FsEmn9hYFFjvMhsMmJxo9l+7l+MH5dUMU=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=tsi8En7mZTH58GWxKrgueQ6cuAd/hgw9GinTuMBLAZAA+geEmFgoUt5MxZbPDgHpNzRlQdzL3PTj5JW81bzelVAljZcYC5w1x1yjqoCZR06fuzF5II1o+EWFiaA61JGr1aMNPfqqPytEH09JWsQyjbEgHJywNJZ3Qeql3lc0ljU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=UkPud74+ORUOsoUPId4EI2Xnqt3//Bu/CLZjhyKZfVymiKM/LJprUqe+y1l020urYQPPWWJBMDQpCRTng5KnGyftD+kpe7ljjBEZoHQ2VY8OEjwwltje1Xd+h3kwSs7xrroeppH1z9q5aeTtR65qckDwdvVFQt0J8H3OCZyIZlk=; X-YMail-OSG: fmPBVLgVM1kqbu48RpRLW6XXeX4Oq99sQ7_OupAjKDqR1P9 eZwPqi42nBPvhPYwJbRZ.u5IcvTuaRP6tV1Uri72.DxmUG2jMw.xE0a3J3UI TucAnaWtXP7_XbMBpEyhreH.CKIVFR4FAOb9JGsVaTrgb0NndERmjYz_yYah yBivGI2dZppy9cCDPjrBSjPCWfLShMP7rtmO5Z.GjMTGoMH40umPoAUEYGQF L78NnuijggeGnHCuWkw8l5hBZdfxGaV9OOSV6ma1RHvsgb_bSnXD1f3CbXxf lwHiasFOKw37lrTu_rENv67UVcX4YmGoGTiSFVR33a6LxrzW42Vm.027iIcX JmGtrjYUel3TWqv5YJdijI67MADg1Og79Q3H6vVgMEFLmPDLQ_K6WUc1I34W vGwP9OGEMWjnSMzQQER7SKHc2FFdUCC7XvnfkGrw_QllFDCE0aptlKo2l7Pq MAwuv5ph3CH5BtJq8temWddLQPvdBlzNMDK2YQ24zr4stOvkf39u2Sw4h..9 y619mUZBt1b2BaQewpYgVrjZUMd8qxserJXqEaLqvUc4YpZgrEMOM9pnFhkS UgTUy.XXZ7cUfuvVH9Og9WAvtsc09uJ4anEGsEdTqJFz09t5ljKALyfGE6A- - Received: from [67.180.178.51] by web121718.mail.ne1.yahoo.com via HTTP; Sun, 11 Sep 2011 19:35:23 PDT X-Mailer: YahooMailWebService/0.8.113.315625 References: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> Message-ID: <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com> Date: Sun, 11 Sep 2011 19:35:23 -0700 (PDT) From: Ping Mai To: "freebsd-pf@freebsd.org" In-Reply-To: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf slow connect on smtp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ping Mai List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 02:35:25 -0000 added this line at the end and incoming smtp is working on both external in= terfaces:=0A=0Apass in quick on $dsl_if reply-to ($dsl_if $dsl_gw ) flags S= /SA keep state=0A=0A=0A=0A________________________________=0AFrom: Ping Mai= =0ATo: "freebsd-pf@freebsd.org" =0ASent: Sunday, September 11, 2011 3:27 PM=0ASubject: slow=0A=0A=0AHi, = =0A=0AI'm new to pf.=A0 hoping for some help with pf.conf.=0A=0AFreeBSD 5.5= router.=A0 2 external interfaces, $com_if and $dsl_if.=A0 The default rout= e is set to $com_if.=0A=0Aincoming smtp to $com_if seems to work fine.=0A= =0A=0Aincoming smtp to $dsl_if is the problem.=A0 connect to tcp/25 is fast= .=A0 but after I issue a 'ehlo ...'=A0 there's a delay of ~1 minute before = the reply comes back.=A0 from that point on the exchange works just fine.= =0AThe problem is most MTA don't wait that long.=A0 they simply drop the co= nnection.=0A=0Atcpdump of pflog0 sees the incoming tcp/25, outgoing from tc= p/25 gets routed to $dsl_if (dc3).=A0 after that, looks like it does an 'id= ent' and a DNS lookup. then it just sits there for minutes.=0A=0Awhat's wro= ng with my pf.conf?=0A=0A#----------------- tcpdump ------------------=0A= =0A000000 rule 16/0(match): pass in on dc3: IP 100.100.100.153.63225 > 12.3= 4.56.40.25: S 743439640:743439640(0) win 65535 =0A000083 rule 28/0(match): pass out on dc0: IP 12.34.56.40.25 > 100.100.= 100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 =0A000023 rule 12/0(match): pass out on dc3: IP 12.34.= 56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 = win 65535 =0A080881 rule 28/0(match): pass ou= t on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:14684815= 50(0) win 65535 =0A000027 rule 12/0(match):= pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:= 1468481550(0) win 65535 =0A082959 rule 1= 3/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.45.57.182.53:=A0 503= 36+ [1au][|domain]=A0 =0A=0A#------------------ pf.conf -------------------= -----------------------------------=0Aint_if =3D "dc1"=0A=0Adsl_if =3D "dc3= "=0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D "10.1.100.0/24"=0Admz= _net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0Acom_gw=3D"23.45.67.1"= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # default rout= e=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ http https }"=0A=0Aic= mp_types=3D"echoreq"=0A=0Atable { $int_net, $dmz_net }=0A=0Aset = loginterface $dsl_if=0Aset loginterface $com_if=0Aset optimization normal= =0Aset block-policy return=0Aset require-order yes=0A=0A=0Ascrub in all=0An= at on $dsl_if from -> $dsl_if=0Anat on $com_if from -= > $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to $dsl_if port $tcp_= services -> $iserver=0Ardr pass on $com_if proto tcp from any to $com_if=0A= port $tcp_services -> $iserver=0A=0Ablock out log all=0Ablock in log all= =0Apass quick on lo0=0A=0Aantispoof quick for { lo0 $dsl_if $com_if $dmz_if= $int_if}=0A=0Apass out log on $dsl_if=0Apass out log on $com_if=0A=0Apass = log on $int_if keep state=0Apass log on $dmz_if from any to ! $int_if:netwo= rk keep state=0A=0Apass in log on $dsl_if proto tcp to $dsl_if port { smtp,= smtps }=0Apass in log on $com_if proto tcp to $com_if port { smtp, smtps }= =0Apass in on $dsl_if proto { tcp, udp } to $dsl_if port {domain}=0Apass in= on $com_if proto { tcp, udp } to $com_if port {domain}=0Apass in on $com_i= f proto { tcp, udp } to port {bootpc}=0A=0Apass in inet proto icmp all icmp= -type $icmp_types=0A=0Apass out log on $dsl_if route-to ($com_if $com_gw) f= rom $com_if=0Apass out log on $com_if route-to ($dsl_if $dsl_gw) from=0A $d= sl_if=0A#------------------------------------------------------------------= ------ From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 04:03:06 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BF791065670 for ; Mon, 12 Sep 2011 04:03:06 +0000 (UTC) (envelope-from pingmai@yahoo.com) Received: from nm28-vm2.bullet.mail.ne1.yahoo.com (nm28-vm2.bullet.mail.ne1.yahoo.com [98.138.91.128]) by mx1.freebsd.org (Postfix) with SMTP id 41C2D8FC1B for ; Mon, 12 Sep 2011 04:03:05 +0000 (UTC) Received: from [98.138.90.56] by nm28.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 04:03:05 -0000 Received: from [98.138.89.254] by tm9.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 04:03:05 -0000 Received: from [127.0.0.1] by omp1046.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 04:03:05 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 38815.68586.bm@omp1046.mail.ne1.yahoo.com Received: (qmail 46664 invoked by uid 60001); 12 Sep 2011 04:03:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315800184; bh=K98TMVvO+aw52AqchAZlpXAmTZZs76MloEJW16vrkU4=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=T7GexM5GGykkFGbQ3ZfabQygYmQ4x1732fQHj3T0MtUCqKOMK8Zt0D1g0vjAET3OqVP5epg0NIZFDyyw30t1MGuHAV7gJmFJldefBYhHGNIYGgDkvn+dxLrxGBIUn7kbjIhKKCJZgSm1jhEtjc9Tm27FMYaYPZ5/WXp7ui4PoSU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=n9HOcV2sOL81SoCjgzfKo00H4Mmoqlvg1d+mRXqySTGoKV0X+s9nXMo9dktT/iMZqTKLS3xfmnMobtgXMnQ1pRqeFMPMSUAppQPKhJ7guXkTpT/Z/wylocj9BJ8pLYS05Vs657g15NN0ERY77H5mN+ejJlXnDIU3/8I/LVUTLs8=; X-YMail-OSG: 0PL.ReMVM1n_3lxEPQgel4a57PigZudVYLfaWsiOWtxigpz fUZsiGYSq3o7BoWjPmCeCfZ4ELamItMvzFsfkwZZqKYl7ippkFylBUzdBrg4 ZcmzoR658baajXapCfDzUsasPPVYkNpqCD9XIOx8adec27Cw.anvtWbXf.AY 6Fu4kdRFG3lPikRCQAVayAcwFaVz4QtASnf.9FZy8_0aDkCEN342LuTt_tAQ F6qNDZB6cSROf53sIqRh8Y0VRU_hzBIHWb2rTPBGVhVLncZuD40rqRLjFiEw dEZ3tDly6dz.ybtz5cwndgqwUKOwO.WA7H80aCUEzpPffplglwWZmf6NlLuQ iCnKaYBv3nGPR7Xhi9Oxlp2q3g15JXk2VGJ.spHGu15Sn.qdzHSUkUvD9nwm m7iTA.PfCGRw5LFavb5ti_WMkTGjliJeTaw83l4Ao6AJ6.ZWDWkWeocChrPs B572s_JxTP2nLIVCima5RgtbPb_BOEK_gp9l1HJ8iLQwm_.2AJeAH2dbjNR6 zndPK8AElfCWhH8QgdUF1990fNbiIpkT.kJJg25PG6ezvVSxj7yL2.eNQWBI 2vjFQWwkgTOcpzpgFQaL10GfCgsdT4ZbAzUX5I2Drnxn74pDfAuDNBJpiSA- - Received: from [67.180.178.51] by web121718.mail.ne1.yahoo.com via HTTP; Sun, 11 Sep 2011 21:03:04 PDT X-Mailer: YahooMailWebService/0.8.113.315625 References: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com> Message-ID: <1315800184.36016.YahooMailNeo@web121718.mail.ne1.yahoo.com> Date: Sun, 11 Sep 2011 21:03:04 -0700 (PDT) From: Ping Mai To: "freebsd-pf@freebsd.org" In-Reply-To: <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf slow connect on smtp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ping Mai List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 04:03:06 -0000 the problem was SYN was coming in at one ext IF and ACK going out another.= =A0 thanks to my friend tcpdump.=0A=0Athis is not as restrictive as i would= like but at least access to internal services is working on both ext IF.= =A0 =0A=0Anow i want to configure load balancing on outbound traffic.=A0 he= lp anyone?=0A=0A=0A#----------- pf.conf ----------------=0A=0Aset require-o= rder yes=0Ascrub in all=0Anat on $dsl_if from -> $dsl_if=0Anat o= n $com_if from -> $com_if=0Ardr on $dsl_if proto tcp from any to= $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto tcp fro= m any to $com_if port $tcp_services -> $iserver=0Ablock out log all=0Ablock= in log all=0Apass quick on lo0=0Aantispoof quick for { lo0 $dsl_if $com_if= $dmz_if $int_if}=0Apass out log on $dsl_if keep state=0Apass out log on $c= om_if keep state=0Apass log on $int_if keep state=0Apass log on $dmz_if fro= m any to ! $int_if:network keep state=0Apass in log on $dsl_if proto tcp to= $dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if= port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if po= rt {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain= }=0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0Apass in inet p= roto icmp all icmp-type $icmp_types=0Apass out log on $dsl_if route-to ($co= m_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if $dsl= _gw) from $dsl_if keep state=0Apass in quick on $dsl_if reply-to ($dsl_if $= dsl_gw ) flags S/SA keep state=0A=0A=0A=0A________________________________= =0AFrom: Ping Mai =0ATo: "freebsd-pf@freebsd.org" =0ASent: Sunday, September 11, 2011 7:35 PM=0ASubject: pf= slow connect on smtp=0A=0A=0Aadded this line at the end and incoming smtp = is working on both external interfaces:=0A=0Apass in quick on $dsl_if reply= -to ($dsl_if $dsl_gw ) flags S/SA keep state=0A=0A=0A______________________= __________=0AFrom: Ping Mai =0ATo: "freebsd-pf@freebsd.o= rg" =0ASent: Sunday, September 11, 2011 3:27 PM=0AS= ubject: slow=0A=0A=0AHi, =0A=0AI'm new to pf.=A0 hoping for some help with = pf.conf.=0A=0AFreeBSD 5.5 router.=A0 2 external interfaces, $com_if and $ds= l_if.=A0 The default route is set to $com_if.=0A=0Aincoming smtp to $com_if= seems to work fine.=0A=0A=0Aincoming smtp to $dsl_if is the problem.=A0 co= nnect to tcp/25 is fast.=A0 but after I issue a 'ehlo ...'=A0 there's a del= ay of ~1 minute before the reply comes back.=A0 from that point on the exch= ange works just fine.=0AThe problem is most MTA don't wait that long.=A0 th= ey simply drop the connection.=0A=0Atcpdump of pflog0 sees the incoming tcp= /25, outgoing from tcp/25 gets routed to $dsl_if (dc3).=A0 after that, look= s like it does an 'ident' and a DNS lookup. then it just sits there for min= utes.=0A=0Awhat's wrong with my pf.conf?=0A=0A#----------------- tcpdump --= ----------------=0A=0A000000 rule 16/0(match): pass in on dc3: IP 100.100.1= 00.153.63225 > 12.34.56.40.25: S 743439640:743439640(0) win 65535 =0A000083 rule 28/0(match): pass out on dc0: IP 12.34.= 56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 = win 65535 =0A000023 rule 12/0(match): pass ou= t on dc3: IP 12.34.56.40.25 > 100.100.100.153.63225: S 2206509942:220650994= 2(0) ack 743439641 win 65535 =0A080881 rule 2= 8/0(match): pass out on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S = 1468481550:1468481550(0) win 65535 =0A00002= 7 rule 12/0(match): pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153= .113: S 1468481550:1468481550(0) win 65535 =0A082959 rule 13/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.4= 5.57.182.53:=A0 50336+ [1au][|domain]=A0 =0A=0A#------------------ pf.conf = ------------------------------------------------------=0Aint_if =3D "dc1"= =0A=0Adsl_if =3D "dc3"=0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D = "10.1.100.0/24"=0Admz_net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0A= com_gw=3D"23.45.67.1"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0 # default route=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ = http https }"=0A=0Aicmp_types=3D"echoreq"=0A=0Atable { $int_net,= $dmz_net }=0A=0Aset loginterface $dsl_if=0Aset loginterface $com_if=0Aset = optimization normal=0Aset block-policy return=0Aset require-order yes=0A=0A= =0Ascrub in all=0Anat on $dsl_if from -> $dsl_if=0Anat on $com_i= f from -> $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to= $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto=0A tcp = from any to $com_if=0A port $tcp_services -> $iserver=0A=0Ablock out log al= l=0Ablock in log all=0Apass quick on lo0=0A=0Aantispoof quick for { lo0 $ds= l_if $com_if $dmz_if $int_if}=0A=0Apass out log on $dsl_if=0Apass out log o= n $com_if=0A=0Apass log on $int_if keep state=0Apass log on $dmz_if from an= y to ! $int_if:network keep state=0A=0Apass in log on $dsl_if proto tcp to = $dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if = port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if por= t {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain}= =0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0A=0Apass in inet= proto icmp all icmp-type $icmp_types=0A=0Apass out log on $dsl_if route-to= ($com_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if= $dsl_gw) from=0A $dsl_if=0A#----------------------------------------------= -------------------------- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 05:30:07 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBB7A1065670 for ; Mon, 12 Sep 2011 05:30:07 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]) by mx1.freebsd.org (Postfix) with ESMTP id 5FE788FC0C for ; Mon, 12 Sep 2011 05:30:07 +0000 (UTC) Received: from rainbow.vl.net.ua (rainbow.vl.net.ua [IPv6:2a00:1db0:20:1::215]) (authenticated bits=0) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id p8C5Taao003066 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK); Mon, 12 Sep 2011 08:29:42 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4E6D98C0.8040707@aws-net.org.ua> Date: Mon, 12 Sep 2011 08:29:36 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.11) Gecko/20101025 Thunderbird/3.1.5 MIME-Version: 1.0 To: Mario Lobo References: <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx> <201109111117.38461.lobo@bsd.com.br> In-Reply-To: <201109111117.38461.lobo@bsd.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]); Mon, 12 Sep 2011 08:29:44 +0300 (EEST) Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 05:30:08 -0000 > 2) What I am attempting that's not working (but used to work!) > > Establish a VPM from My home workstation TO My work GW This is what I have in my home router's pf about GRE: nat on $ext_if proto gre from $int_net to any -> ($ext_if) pass in quick on $int_if inet proto gre from $int_if:network to any keep state pass in quick on $ext_if inet proto gre from any to any no state pass out quick on $ext_if inet proto gre all keep state queue def Any single PPTP connectios always work fine but - as noted before - ONLT ONE. Pay attention to pass rule on external interface - use 'no state'! Without it the first gre packet from VPN server will create wrong state and these packets will not reach VPN client in the home LAN. Anyway, consider migration to L2TP. Hope this helps. -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E668106566B for ; Mon, 12 Sep 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7C3D18FC1D for ; Mon, 12 Sep 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8CB78tB005518 for ; Mon, 12 Sep 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8CB776D005516 for freebsd-pf@FreeBSD.org; Mon, 12 Sep 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Sep 2011 11:07:07 GMT Message-Id: <201109121107.p8CB776D005516@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 51 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 23:51:50 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB0731065678 for ; Mon, 12 Sep 2011 23:51:50 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9DD758FC1A for ; Mon, 12 Sep 2011 23:51:50 +0000 (UTC) Received: by gwb20 with SMTP id 20so4740610gwb.17 for ; Mon, 12 Sep 2011 16:51:49 -0700 (PDT) Received: by 10.236.157.41 with SMTP id n29mr29470236yhk.88.1315871509831; Mon, 12 Sep 2011 16:51:49 -0700 (PDT) Received: from papi.localnet ([186.212.158.115]) by mx.google.com with ESMTPS id y79sm12097125yhg.23.2011.09.12.16.51.46 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 12 Sep 2011 16:51:48 -0700 (PDT) From: Mario Lobo To: Artyom Viklenko Date: Mon, 12 Sep 2011 20:51:51 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109101042.53575.lobo@bsd.com.br> <201109111117.38461.lobo@bsd.com.br> <4E6D98C0.8040707@aws-net.org.ua> In-Reply-To: <4E6D98C0.8040707@aws-net.org.ua> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109122051.52012.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 23:51:50 -0000 On Monday 12 September 2011 02:29:36 Artyom Viklenko wrote: > > This is what I have in my home router's pf about GRE: > [snip] > pass in quick on $ext_if inet proto gre from any to any no state > Pay attention to pass rule on external interface - use 'no state'! > Without it the first gre packet from VPN server will create wrong > state and these packets will not reach VPN client in the home LAN. Thanks a million, Artyom ! You nailed it! This fixed my problem at BOTH endpoints! But look at how particular that is!. And why in heavens name this wasn't happening before? The fact that I never needed that rule before, and after maybe a couple csups now I do, worries me a bit. I can't help wondering if this sort of thing may happen somewhere else on a next (now improbable) csup. > > Any single PPTP connectios always work fine but - as noted before - > ONLY ONE. > This was never an issue in my case. > > Anyway, consider migration to L2TP. > Not anymore thanks to you !! -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 11:15:02 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A4FE1065676 for ; Wed, 14 Sep 2011 11:15:02 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1AD8FC14 for ; Wed, 14 Sep 2011 11:15:00 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p8EBExZP049884 for ; Wed, 14 Sep 2011 14:14:59 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p8EBEx9m049883 for freebsd-pf@freebsd.org; Wed, 14 Sep 2011 14:14:59 +0300 (EEST) Date: Wed, 14 Sep 2011 14:14:59 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110914111459.GD40528@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U wOT+RcGxziJxEN0lIAAABrklEQVQokV2STXLbMAyFQaraE3a5dzSTfR1IF7CQrM3QuECn9z9DH0 gxzgSyFvr88PBD0uJxoR6BE+e8LtRgohE5ZB50sODP/REbfUnte/z12+llCekLUSKenFIMke6Be WinE8H0RJHSN71rUQp64gFDmtDDhRk0zam3FzpNVFprhwPGaFo6oY9wDBJQ9Qz6EuKyROJjDGa+ uza4VOTa8iHlN58Yv5BF9+4BGl0LA5pUD5xKXg4aQlVZm0co3NKxCGxQpu3aC352Gv3DZONmwQd tkrlaylV3YSew7bWtwAZF/zi9jblmprPoL7ktzeFSxmarVNmWRi+Bmxg7Y7tbGtR8XZUxLTo86G thANsssetjp3POuBvMBRlw6jRa5pKN7yVlP+F2lyiZGSMf5hnSU6eAVupmtfjRcxy0momwpxDnz 06hwnOWvBnUdR8U2/KX7cq26u1Jy5xFZMPOVONRbRUrwey8Qar6cWgf12xSymQuVX0DfYd4R8kN Hg0qCtLeaYZcj8B90M2N0cEX1P0vKSxw7NLy/3X8Qeriusu66jNA37P4Mn5QRTG2hz4d9D/6E3a EX852nwAAAABJRU5ErkJggg== Subject: Re: pf port redirection wierd behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 11:15:02 -0000 Victor Nagoryanskii (nagoryanskii@gmail.com) [11.09.02 13:59] wrote: > When I initialising call , replied udp packets successfully redirected to > my h323 device, but if call is initialising from outside to me - > redirection just not work (I can't hear remote peer). I see udp packets hit > to my ext_if , but nothing appear in lan_if. > are packets blocked? tcpdump -nettti pflog0 | grep block -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 12:03:22 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E96CF106567B for ; Wed, 14 Sep 2011 12:03:21 +0000 (UTC) (envelope-from nagoryanskii@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 80FCC8FC12 for ; Wed, 14 Sep 2011 12:03:21 +0000 (UTC) Received: by fxg9 with SMTP id 9so1971786fxg.13 for ; Wed, 14 Sep 2011 05:03:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zME1Xr0LS1hGqq5l9+V1jb0eD3TGifNbbDYbLdNIq58=; b=UVv7PCFYH40d1Z/ZvOyWOpqJ94FEKYX2NzdKzAR8OO6Vvcu3iM1ZCLAoDn7E2ZHHS5 k7YbMRW2gBMqQN368mMH3DulgpuxHH9QxPM2FHOWotmGsopcpQtL26w83jd7Mvw1LkfD PH1K1ZkPajnFnhpXARVlSdX0iCvLSQ96Kzp6I= MIME-Version: 1.0 Received: by 10.223.27.8 with SMTP id g8mr3278120fac.52.1316001800466; Wed, 14 Sep 2011 05:03:20 -0700 (PDT) Received: by 10.223.107.68 with HTTP; Wed, 14 Sep 2011 05:03:20 -0700 (PDT) In-Reply-To: <20110914111459.GD40528@relay.ibs.dn.ua> References: <20110914111459.GD40528@relay.ibs.dn.ua> Date: Wed, 14 Sep 2011 15:03:20 +0300 Message-ID: From: Victor Nagoryanskii To: zeus@ibs.dn.ua, freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: pf port redirection wierd behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 12:03:22 -0000 No, it doesn't. 2011/9/14 Zeus V Panchenko > Victor Nagoryanskii (nagoryanskii@gmail.com) [11.09.02 13:59] wrote: > > When I initialising call , replied udp packets successfully redirected > to > > my h323 device, but if call is initialising from outside to me - > > redirection just not work (I can't hear remote peer). I see udp packets > hit > > to my ext_if , but nothing appear in lan_if. > > > > are packets blocked? > > tcpdump -nettti pflog0 | grep block > > > -- > Zeus V. Panchenko > JID:zeus@gnu.org.ua GMT+2 (EET) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 15:40:11 2011 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10127106564A for ; Wed, 14 Sep 2011 15:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 004D88FC13 for ; Wed, 14 Sep 2011 15:40:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8EFeAT0085467 for ; Wed, 14 Sep 2011 15:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8EFeAad085466; Wed, 14 Sep 2011 15:40:10 GMT (envelope-from gnats) Date: Wed, 14 Sep 2011 15:40:10 GMT Message-Id: <201109141540.p8EFeAad085466@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Manuel Ochoa Cc: Subject: Re: kern/153307: [pf] Bug with PF Firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Manuel Ochoa List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 15:40:11 -0000 The following reply was made to PR kern/153307; it has been noted by GNATS. From: Manuel Ochoa To: bug-followup@freebsd.org Cc: Subject: Re: kern/153307: [pf] Bug with PF Firewall Date: Wed, 14 Sep 2011 10:01:40 -0500 --20cf300fad439cf7e404ace80923 Content-Type: text/plain; charset=ISO-8859-1 What is the status on this bug? It's almost a year old and it looks like a serious issue. Thanks, Manuel Ochoa - CCNP MCSA MCSE MCDBA President, Agency Matrix LLC 5010 Addison Circle Addison TX 75001-2333 Phone: 972-239-1456 Fax: 702 447-6669 --20cf300fad439cf7e404ace80923 Content-Type: text/html; charset=ISO-8859-1 What is the status on this bug? It's almost a year old and it looks like a serious issue.



Thanks,

Manuel Ochoa - CCNP MCSA MCSE MCDBA
President, Agency Matrix LLC

5010 Addison Circle
Addison TX 75001-2333

Phone: 972-239-1456
Fax: 702 447-6669
--20cf300fad439cf7e404ace80923-- From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 16:53:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BEE71065724 for ; Wed, 14 Sep 2011 16:53:20 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id A92D88FC17 for ; Wed, 14 Sep 2011 16:53:19 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so2122540bkb.13 for ; Wed, 14 Sep 2011 09:53:18 -0700 (PDT) Received: by 10.204.130.153 with SMTP id t25mr21431bks.266.1316017675080; Wed, 14 Sep 2011 09:27:55 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id fc13sm387111bkc.0.2011.09.14.09.27.53 (version=SSLv3 cipher=OTHER); Wed, 14 Sep 2011 09:27:54 -0700 (PDT) Message-ID: <4E70D60C.2080202@my.gd> Date: Wed, 14 Sep 2011 18:27:56 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: pf port redirection wierd behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 16:53:20 -0000 On 9/2/11 12:26 PM, Victor Nagoryanskii wrote: > Hello! > I've noticed wierd behavior of pf port redirection. I have FreeBSD 8.2 box > which nat'ed my lan. There are some http/mail servers presented in lan, tcp > port redirection work fine, but udp redirection to my H323 enabled device is > strange. > > When I initialising call , replied udp packets successfully redirected to > my h323 device, but if call is initialising from outside to me - > redirection just not work (I can't hear remote peer). I see udp packets hit > to my ext_if , but nothing appear in lan_if. > > > pf.conf > > nat pass on $inet_if from $lan_net to any -> $inet_if > rdr pass on $inet_if proto tcp from any to $inet_ip port {25,80} -> 10.0.0.2 > # Work fine > rdr pass on $inet_if proto tcp from any to $inet_ip port 1720 -> 10.0.0.4 # > Work fine > rdr pass on $inet_if proto udp from any to $inet_ip port 2048:2063 -> > 10.0.0.4 # Work only if I initialising call > > pass all > > Also I tried to adjust udp session timer: > > set timeout udp.first 300 > set timeout udp.single 150 > set timeout udp.multiple 900 > > Is this pf bug or I something misconfigured pf.conf? There's no reason your UDP rdr rule shouldn't work. You should run tcpdump on the target machine listening at 10.0.0.4 to check whether packets arrive or not: tcpdump -ni eth0 ip and port 2048 I don't understand your "if I initialising call" statement. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 09:26:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FF28106564A for ; Thu, 15 Sep 2011 09:26:20 +0000 (UTC) (envelope-from dfleuriot@hi-media.com) Received: from smtp1.hi-media-techno.com (smtp1.hi-media-techno.com [195.158.241.85]) by mx1.freebsd.org (Postfix) with ESMTP id DD38D8FC12 for ; Thu, 15 Sep 2011 09:26:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.hi-media-techno.com (Postfix) with ESMTP id DC8D893BFC for ; Thu, 15 Sep 2011 11:07:38 +0200 (CEST) Received: from smtp1.hi-media-techno.com ([127.0.0.1]) by localhost (smtp1.backbone.hi-media-techno.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZq6gtCwF2kK for ; Thu, 15 Sep 2011 11:07:38 +0200 (CEST) Received: from mail1.hi-media-techno.com (unknown [192.168.27.17]) by smtp1.hi-media-techno.com (Postfix) with ESMTP id 1600193C0F for ; Thu, 15 Sep 2011 11:07:38 +0200 (CEST) Received: from dfleuriot-at-hi-media.com (unknown [83.167.62.196]) by mail1.hi-media-techno.com (Postfix) with ESMTPSA id 90CBD805469; Thu, 15 Sep 2011 11:07:37 +0200 (CEST) Message-ID: <4E71C059.5060404@hi-media.com> Date: Thu, 15 Sep 2011 11:07:37 +0200 From: Damien FLEURIOT User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: "freebsd-pf@freebsd.org" X-Enigmail-Version: 1.3.1 Content-Type: multipart/mixed; boundary="------------080808040305070702060507" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: CARP interfaces and mastership issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2011 09:26:20 -0000 This is a multi-part message in MIME format. --------------080808040305070702060507 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello list, TLDR: carp interface becomes MASTER for a split second after being created, even if another MASTER exists on the network with faster advertisements. Breaks connections. HOWTO prevent ? We've been experiencing this double mastership problem with CARP interfaces. Allow me to put some context here: 2 firewalls, PF1, PF2, each with 2 VLANs (for example, some have more) on a lagg device (link aggregation). These firewalls then share virtual IPs through CARP interfaces, let us assume the following: PF1: - vlan13 - vlan410 - carp13 (advskew 50) - carp410 (advskew 50) PF2: - vlan13 - vlan410 - carp13 (advskew 100) - carp410 (advskew 100) CARP preemption is turned on, so that if vlan13 should fail on PF1, PF2 would assume mastership on both CARP interfaces. Syscontrols below: net.inet.carp.allow: 1 net.inet.carp.preempt: 1 net.inet.carp.log: 1 net.inet.carp.arpbalance: 0 net.inet.carp.suppress_preempt: 0 The problem we have is, say for example we reboot PF2. When it comes back up, it will, even for a split second, assume CARP mastership for its interfaces, at the same time as PF1. This breaks existing sessions, openvpn tunnels and new client connections. While I acknowledge the home-made demons should be built to support tiny network outages, this doesn't solve our main problem. We have the same issue when destroying/creating said CARP interfaces. Recently we upgraded some switches' IOS version on our backup datacenter (which also has 2 PF boxes, sharing the CARP IPs with the 2 PFs on our production DC). To prevent anything nasty happening, we forbade production VLANs on the switches' uplink ports and only allowed management traffic to allow us to perform the upgrade. Things went smoothly but when we brought the production VLANs up again at layer 2 on the switches, when spanning-tree converged we had again a double MASTER problem. I understand I could have avoided it by destroying/recreating the CARP interfaces, but even in this case there is a split second during which both firewalls are CARP MASTER. Is there any way to force CARP to assume INIT state for some time when coming up, and only after X seconds either become MASTER or BACKUP ? Any other idea how to solve this, guys ? --------------080808040305070702060507--