From owner-freebsd-pf@FreeBSD.ORG Mon Oct 16 11:08:31 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07B2016A5DF for ; Mon, 16 Oct 2006 11:08:31 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63D6643D66 for ; Mon, 16 Oct 2006 11:08:30 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9GB8U9Y028237 for ; Mon, 16 Oct 2006 11:08:30 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9GB8TIL028233 for freebsd-pf@FreeBSD.org; Mon, 16 Oct 2006 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Oct 2006 11:08:29 GMT Message-Id: <200610161108.k9GB8TIL028233@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2006 11:08:31 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency f kern/86072 pf [pf] Packet Filter rule not working properly (with SYN o kern/92949 pf [pf] PF + ALTQ problems with latency o sparc/93530 pf Incorrect checksums when using pf's route-to on sparc6 4 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/81042 pf [pf] [patch] /etc/pf.os doesn't match FreeBSD 5.3->5.4 o kern/93825 pf [pf] pf reply-to doesn't work o kern/94992 pf [pf] [patch] pfctl complains about ALTQ missing o kern/103304 pf pf accepts nonexistent queue in rules 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 09:49:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDBDA16A40F for ; Wed, 18 Oct 2006 09:49:10 +0000 (UTC) (envelope-from tzhuan@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29D4843D5D for ; Wed, 18 Oct 2006 09:49:09 +0000 (GMT) (envelope-from tzhuan@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so616400nfc for ; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=UXz3jwcLiKZbmVwV2Dg+1xMiv1Qb0Apg+BDsLswzikYTDrGqT+FUtujgFQI5bPU/hQOVReNlnOiB6nfhqr79tAWHFojGFoXFIOV0LJ9zyUWMI+lkg2wbXvp5Cb+RnTOzLb+xU0CZHjvzhmxDX+5Ia3bGoBpQm8nn5brXaMdoTF8= Received: by 10.82.124.10 with SMTP id w10mr1839516buc; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) Received: by 10.82.180.7 with HTTP; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) Message-ID: <6a7033710610180249se539921m3a753b46a90fb962@mail.gmail.com> Date: Wed, 18 Oct 2006 17:49:08 +0800 From: "Tz-Huan Huang" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Question about binat and nat in the same domain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tzhuan@csie.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 09:49:10 -0000 Hi, There is a FreeBSD box running pf as a firewall. There are two type of internal computers, one type is for servers -- thay are set to fixed ips (int_server_ipN) and map to external ips (ext_server_ipN) using binat. Another type is for clients -- thay get ip from dhcp server dynamically. The ips of servers and clients are in the same domain. Following is the pf.conf: binat on $ext_if from $int_server_ip1 to any -> $ext_server_ip1 binat on $ext_if from $int_server_ip2 to any -> $ext_server_ip2 binat on $ext_if from $int_server_ip3 to any -> $ext_server_ip3 ... nat on $ext_if from $int_if:network to any -> $ext_ip pass quick all keep state and I use ``arp -s [ext ip] [mac] pub'' to bind $ext_server_ips on $ext_if. Basically all thing is right, the internal server serves as it is external, and all clients can go to internet well. The problem is: clients cannot connect to servers via external ips. For example, "ping $ext_server_ip1" in one client will get no response. tcpdump get the following log: 17:16:43.005360 IP $client_ip > $ext_server_ip1: ICMP echo request, id 768, seq 61440, length 40 17:16:43.005430 IP $ext_ip > $int_server_ip1: ICMP echo request, id 59065, seq 61440, length 40 17:16:43.005732 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id 59065, seq 61440, length 40 17:16:48.506471 IP $client_ip > $ext_server_ip1: ICMP echo request, id 768, seq 61696, length 40 17:16:48.506531 IP $ext_ip > $int_server_ip1: ICMP echo request, id 59065, seq 61696, length 40 17:16:48.506719 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id 59065, seq 61696, length 40 ... The strange thing is that firewall dons't translate the echo reply to $client_ip. What's the problem? Is any wrong in my configuration? Thanks very much for you help. tzhuan From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 13:56:02 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A10AA16A412; Wed, 18 Oct 2006 13:56:02 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D6B843D45; Wed, 18 Oct 2006 13:56:02 +0000 (GMT) (envelope-from turgeon.martin@gmail.com) Received: from martinlaptop ([70.81.169.115]) by VL-MH-MR001.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J7C00A30418UN90@VL-MH-MR001.ip.videotron.ca>; Wed, 18 Oct 2006 09:56:01 -0400 (EDT) Date: Wed, 18 Oct 2006 09:56:12 -0400 From: Martin Turgeon To: freebsd-pf@freebsd.org, freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org Message-id: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-index: AcbyvSvyTupTIOwvRfqNjRmitjV4Aw== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 13:56:02 -0000 Hi everyone, I've been reading the mailing list for a while, but it's my first post. I'm not sure what is causing the problem so I'm posting to multiple lists. I'm running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes after a while (a couple of weeks) the routing isn't working anymore, but only with the external interface (the one connected to my cable modem from Videotron in Montreal). The box is acting as the gateway of the network with PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred on FreeBSD 6.0 on another box. The routing table looks ok. The external interface is still receiving ARP requests but nothing is going out from my internal network. When I run tcpdump on my internal interface I can see the request to the DNS server of my ISP but running tcpdump on the external interface isn't showing anything related to that. It's like if the packet disappeared. Tcpdump on pflog0 isn't showing any good traffic that is being blocked Here's what I tried with no result: I tried to flush the states with pfctl -Fs I tried to reload the NAT with pfctl -N The solution was to renew the address of the external interface with dhclient fxp0. I looked back at the routing table after the dhclient fxp0 and nothing changed except the address of the default gateway because my IP address changed of subnetwork. I don't think it's related to the ISP because I'm not seeing any packet going out of the external interface. Here is a little more detail about the box: Uname -a: FreeBSD gateway.bureau.own 6.1-RELEASE-p5 FreeBSD 6.1-RELEASE-p5 #2: Fri Sep 15 14:59:44 EDT 2006 root@gateway.bureau.own:/usr/src/sys/i386/compile/OPTIK i386 The external interface is a Intel 10/100 onboard an Asus motherboard with fxp driver Thanks for your help Martin From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 14:30:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E76916A500; Wed, 18 Oct 2006 14:30:06 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFBC643D45; Wed, 18 Oct 2006 14:30:05 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net [80.34.55.68]) by strange.daemonsecurity.com (Postfix) with ESMTP id EDCF12E024; Wed, 18 Oct 2006 16:30:03 +0200 (CEST) Message-ID: <45363A6A.4040607@locolomo.org> Date: Wed, 18 Oct 2006 16:30:02 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Martin Turgeon References: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> In-Reply-To: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 14:30:06 -0000 Martin Turgeon wrote: > I've been reading the mailing list for a while, but it's my first post. I'm > not sure what is causing the problem so I'm posting to multiple lists. I'm > running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes > after a while (a couple of weeks) the routing isn't working anymore, but > only with the external interface (the one connected to my cable modem from > Videotron in Montreal). The box is acting as the gateway of the network with > PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred > on FreeBSD 6.0 on another box. Is your external ip configured with dhcp? I would guess this is because your ip on the external interface changes. Your NAT rules will still go to the old ip and hence nowhere. If reloading your pf ruleset solves the problem, then this is a strong indication. There is some trick to handle that, IIRC something like this would do: ext_if=fxp0 # external interface nat on $ext_if from to ! -> ($ext_if) The () means that pf will lookup the ip on that interface, and update dynamically when the ip changes. Well, that's how I remember it, I couldn't find where I've seen it, but there is a trick like this. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 14:52:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33AFA16A407 for ; Wed, 18 Oct 2006 14:52:58 +0000 (UTC) (envelope-from marcchabot@marcchabot.com) Received: from mx.caminfo.ca (mx.caminfo.ca [64.15.73.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5333443D6B for ; Wed, 18 Oct 2006 14:52:53 +0000 (GMT) (envelope-from marcchabot@marcchabot.com) Received: from modemcable005.251-131-66.mc.videotron.ca [66.131.251.5] by mx.caminfo.ca with SMTP (EHLO [192.168.2.101]) (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.8 Pre-Release 1)); Wed, 18 Oct 2006 10:52:51 -0400 Date: Wed, 18 Oct 2006 10:52:24 -0400 From: Marc Chabot To: Martin Turgeon In-Reply-To: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> References: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> Message-Id: <20061018101558.7B28.MARCCHABOT@marcchabot.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.25.01 [en] X-ArGoMail-Authenticated: marcchabot@marcchabot.com Cc: freebsd-pf@freebsd.org Subject: Re: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 14:52:58 -0000 hello Martin Turgeon, On Wed, 18 Oct 2006 09:56:12 -0400 Martin Turgeon wrote: MT> running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes MT> after a while (a couple of weeks) the routing isn't working anymore, but MT> only with the external interface (the one connected to my cable modem from MT> Videotron in Montreal). The box is acting as the gateway of the network with MT> PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred MT> on FreeBSD 6.0 on another box. MT> The solution was to renew the address of the external interface with MT> dhclient fxp0. oh... videotron dynamic modem cable... about 2 years ago, videotron had problems with their dhcp, it took them quite some time to fix it, they had to schrink the lease time to 4 hours, 8 hours and the like. I, friends and the majority of our customers using videotron-dynamic were calling because internet traffic stopped. Many customers were using cheapo nat boxes (dlink, linksys, you name it) of all makes with different firmware versions, a few with cisco pix 501s, etc... The solution? Same as yours: renew the address of the external interface. (or simply power cycle the nat box for end users). And since videotron seems to glue IPs with MAC addresses, users keep their public IP for many months. I have never had one stick for more than 11 months though, but 8 to 9 months is common. Comically, some home user desperate to change IPs had to change NIC or clone mac adress inside their nat boxes and then power cycle the modem cable (clear arp of the modem) to get a different public ip adress. That was quite a while ago. Now, sometimes i see for myself such behavior but just localized, no customers calling en masse. When it happens to me (once every two months?) my mail client beeps and awake me in the middle of the night, and when i go check my mail servers, well, the whole internet is unaccessible, i renew the address of the external interface, and voila. In some cases i had to power cycle the modem cable, it seems to always happend in the middle of the night, at a time that is apropriate for them to play with their equipment and disturb as less customers as possible. Having has my share of they pretty much useless customer service, i didn't bother to call them and confirm this. And I'm not using a *BSD box at home. At first glance, it does not look like a *BSD bug. Drop the videotron home service and call VTL (videotron telecomm limitee) to get a business static ip address, they put a cisco soho91 in between your modem cable and your router to give you a static ip. Besides, the support service of videotron home is just as catastrophicly lousy as sympatico and others, while in some cases i was surprized to hear some employes of VTL have clue. The business side of videotron is more competent then the residential side. -- Best regards, mail to: MarcChabot@MarcChabot.com SysAdmin & MailAdmin for http://www.caminfo.ca I find television very educating. Every time somebody turns on the T.V., I go into the other room and read a book. --Groucho Marx From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 15:20:49 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 968BB16A412 for ; Wed, 18 Oct 2006 15:20:49 +0000 (UTC) (envelope-from js.lists@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CFC043D5E for ; Wed, 18 Oct 2006 15:20:48 +0000 (GMT) (envelope-from js.lists@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so703420nfc for ; Wed, 18 Oct 2006 08:20:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=l6y8Ce/Sr4cpkAqfyQZpPHfK1IypjAOAnG8BL70rNYiW/QeE3Prnyllt9bmWz783uTCLw5i7GIqrd8aKvkWYdwJVUcmD0vqZAFvCzca4ipcHzcr6Z8x5mJcF5CX3FIWBCwJGqgro/vAMELFn4mcWX+YcL0ICizxIZEx7jPIvRGQ= Received: by 10.48.254.10 with SMTP id b10mr3898555nfi; Wed, 18 Oct 2006 08:20:39 -0700 (PDT) Received: from ?10.1.2.10? ( [67.180.3.247]) by mx.google.com with ESMTP id o53sm1536689nfa.2006.10.18.08.20.37; Wed, 18 Oct 2006 08:20:39 -0700 (PDT) Message-ID: <45364643.7010103@gmail.com> Date: Wed, 18 Oct 2006 08:20:35 -0700 From: Joe User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Erik Norgaard References: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> <45363A6A.4040607@locolomo.org> In-Reply-To: <45363A6A.4040607@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org, freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 15:20:49 -0000 Erik Norgaard wrote: > There is some trick to handle that, IIRC something like this would do: > > ext_if=fxp0 # external interface > nat on $ext_if from to ! -> ($ext_if) > > The () means that pf will lookup the ip on that interface, and update > dynamically when the ip changes. > That is correct. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 15:31:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2188E16A403; Wed, 18 Oct 2006 15:31:23 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD31843D46; Wed, 18 Oct 2006 15:31:22 +0000 (GMT) (envelope-from turgeon.martin@gmail.com) Received: from martinlaptop ([70.81.169.115]) by VL-MH-MR002.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J7C00COB8BMD6L1@VL-MH-MR002.ip.videotron.ca>; Wed, 18 Oct 2006 11:28:37 -0400 (EDT) Date: Wed, 18 Oct 2006 11:28:50 -0400 From: Martin Turgeon In-reply-to: <45363A6A.4040607@locolomo.org> To: 'Erik Norgaard' Message-id: <0J7C00COK8BPD6L1@VL-MH-MR002.ip.videotron.ca> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Thread-index: AcbyweiAX5VLAPbjR+6JB8W68i+MUgAB1i0g Cc: freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: RE: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 15:31:23 -0000 The NAT rules are already written that way: nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if) Thanks anyway Martin -----Message d'origine----- De=A0: Erik Norgaard [mailto:norgaard@locolomo.org]=20 Envoy=E9=A0: 18 octobre 2006 10:30 =C0=A0: Martin Turgeon Cc=A0: freebsd-pf@freebsd.org; freebsd-bugs@freebsd.org; freebsd-questions@freebsd.org Objet=A0: Re: Routing with external interface doesn't work after a while Martin Turgeon wrote: > I've been reading the mailing list for a while, but it's my first = post. I'm > not sure what is causing the problem so I'm posting to multiple lists. = I'm > running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks = likes > after a while (a couple of weeks) the routing isn't working anymore, = but > only with the external interface (the one connected to my cable modem = from > Videotron in Montreal). The box is acting as the gateway of the = network with > PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred > on FreeBSD 6.0 on another box. Is your external ip configured with dhcp? I would guess this is because=20 your ip on the external interface changes. Your NAT rules will still go=20 to the old ip and hence nowhere. If reloading your pf ruleset solves the = problem, then this is a strong indication. There is some trick to handle that, IIRC something like this would do: ext_if=3Dfxp0 # external interface nat on $ext_if from to ! -> ($ext_if) The () means that pf will lookup the ip on that interface, and update=20 dynamically when the ip changes. Well, that's how I remember it, I couldn't find where I've seen it, but=20 there is a trick like this. Cheers, Erik --=20 Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 16:37:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D591016A407; Wed, 18 Oct 2006 16:37:55 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id C390343D5C; Wed, 18 Oct 2006 16:37:52 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net [80.34.55.68]) by strange.daemonsecurity.com (Postfix) with ESMTP id 237112E024; Wed, 18 Oct 2006 18:37:51 +0200 (CEST) Message-ID: <45365856.90508@locolomo.org> Date: Wed, 18 Oct 2006 18:37:42 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Martin Turgeon References: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> In-Reply-To: <0J7C00A3541CUN90@VL-MH-MR001.ip.videotron.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 16:37:56 -0000 Martin Turgeon wrote: > I've been reading the mailing list for a while, but it's my first post. I'm > not sure what is causing the problem so I'm posting to multiple lists. I'm > running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes > after a while (a couple of weeks) the routing isn't working anymore, but > only with the external interface (the one connected to my cable modem from > Videotron in Montreal). The box is acting as the gateway of the network with > PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred > on FreeBSD 6.0 on another box. OK, this can take a long time to solve if the problem reoccurs after some weeks - can you reproduce at a faster rate? > The routing table looks ok. > > The external interface is still receiving ARP requests but nothing is going > out from my internal network. OK, so your internal network can't get out. But can you get out from the gateway? I mean, try login to the gateway and ping the default gateway. Do you get replies? do you see packets going out when sniffing? > Here's what I tried with no result: > > I tried to flush the states with pfctl -Fs > I tried to reload the NAT with pfctl -N > > The solution was to renew the address of the external interface with > dhclient fxp0. > > I looked back at the routing table after the dhclient fxp0 and nothing > changed except the address of the default gateway because my IP address > changed of subnetwork. While the gateway is working take dump output of ifconfig and "route get default" into a file. When it stops working do it again. Repeat after you have restored the connection. Did any thing change from it worked till it stopped working? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 16:41:38 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BA2516A407; Wed, 18 Oct 2006 16:41:38 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CFD743D6B; Wed, 18 Oct 2006 16:41:19 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net [80.34.55.68]) by strange.daemonsecurity.com (Postfix) with ESMTP id 11DFC2E024; Wed, 18 Oct 2006 18:41:17 +0200 (CEST) Message-ID: <45365929.8060608@locolomo.org> Date: Wed, 18 Oct 2006 18:41:13 +0200 From: Erik Norgaard User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Martin Turgeon References: <0J7C00COK8BPD6L1@VL-MH-MR002.ip.videotron.ca> In-Reply-To: <0J7C00COK8BPD6L1@VL-MH-MR002.ip.videotron.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 16:41:38 -0000 Martin Turgeon wrote: > The NAT rules are already written that way: > > nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if) > nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if) > nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if) > nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if) How are your tags created? If somewhere in the nat/tag/filtering process you've missed the dynamic update of the external ip it may fail there... Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 19:12:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AC8716A403; Wed, 18 Oct 2006 19:12:59 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB60343D68; Wed, 18 Oct 2006 19:12:58 +0000 (GMT) (envelope-from turgeon.martin@gmail.com) Received: from martinlaptop ([70.81.169.115]) by VL-MO-MR003.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J7C00MEKIPJGZE0@VL-MO-MR003.ip.videotron.ca>; Wed, 18 Oct 2006 15:12:58 -0400 (EDT) Date: Wed, 18 Oct 2006 15:13:11 -0400 From: Martin Turgeon In-reply-to: <45365929.8060608@locolomo.org> To: 'Erik Norgaard' Message-id: <0J7C00MEQIPLGZE0@VL-MO-MR003.ip.videotron.ca> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Thread-index: Acby1D0tVD9LpsITQNG7WmP9k/pz/wAFO2WA Cc: freebsd-bugs@freebsd.org, freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: RE: Routing with external interface doesn't work after a while X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 19:12:59 -0000 You're right on this, the filtering rules aren't written with the = brackets. But isn't pf routing the packets to an interface instead of an IP = address. Thanks a lot Martin -----Message d'origine----- De=A0: Erik Norgaard [mailto:norgaard@locolomo.org]=20 Envoy=E9=A0: 18 octobre 2006 12:41 =C0=A0: Martin Turgeon Cc=A0: freebsd-pf@freebsd.org; freebsd-bugs@freebsd.org; freebsd-questions@freebsd.org Objet=A0: Re: Routing with external interface doesn't work after a while Martin Turgeon wrote: > The NAT rules are already written that way: >=20 > nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if) > nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if) > nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if) > nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if) How are your tags created? If somewhere in the nat/tag/filtering process = you've missed the dynamic update of the external ip it may fail = there... Cheers, Erik --=20 Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 From owner-freebsd-pf@FreeBSD.ORG Thu Oct 19 16:59:32 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DDA116A51F for ; Thu, 19 Oct 2006 16:59:32 +0000 (UTC) (envelope-from Michael.Andresen@LA.GOV) Received: from mailc30.mail.la.gov (mailc30.mail.la.gov [204.196.242.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2CBE43D4C for ; Thu, 19 Oct 2006 16:59:31 +0000 (GMT) (envelope-from Michael.Andresen@LA.GOV) Received: from unknown (HELO Mailfe02.MAIL.LA.GOV) ([10.4.10.61]) by mailc30.mail.la.gov with ESMTP; 19 Oct 2006 11:59:28 -0500 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAQAAA+k= X-IronPort-AV: i="4.09,330,1157346000"; d="scan'208"; a="85009845:sNHT16790372" Received: from MAILBE04.MAIL.LA.GOV ([10.4.10.36]) by Mailfe02.MAIL.LA.GOV with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Oct 2006 11:58:32 -0500 Received: from 68.108.239.240 ([68.108.239.240]) by MAILBE04.MAIL.LA.GOV ([10.4.10.23]) via Exchange Front-End Server mailfe.mail.la.gov ([10.4.10.61]) with Microsoft Exchange Server HTTP-DAV ; Thu, 19 Oct 2006 16:58:32 +0000 User-Agent: Microsoft-Entourage/11.2.5.060620 Date: Thu, 19 Oct 2006 11:58:29 -0500 From: Michael Andresen To: Message-ID: Thread-Topic: carp_input: received len 20 < sizeof(struct carp_header) Thread-Index: Acbzn8zrC3GwG1+TEdurigAWy5UEiQ== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 19 Oct 2006 16:58:32.0161 (UTC) FILETIME=[CECE3D10:01C6F39F] Subject: carp_input: received len 20 < sizeof(struct carp_header) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 16:59:32 -0000 CARP_LOG was logging thousands of "carp_input: received len 20 < sizeof(struct carp_header)" in my local /var/log/messages file: After hours of research (and a lot of kernel rebuilds), I discover some Freevrrpd multicast packets on my network that were triggering CARP_LOG to produce this message. Once I disabled Freevrrpd on the other servers, the carp_input messages stopped. Yippee! I hope this helps someone. From owner-freebsd-pf@FreeBSD.ORG Thu Oct 19 18:10:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CCC916A407 for ; Thu, 19 Oct 2006 18:10:39 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 930FD43E19 for ; Thu, 19 Oct 2006 18:09:13 +0000 (GMT) (envelope-from turgeon.martin@gmail.com) Received: from martinlaptop ([70.81.169.115]) by VL-MH-MR001.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J7E00AYLAF6K4C0@VL-MH-MR001.ip.videotron.ca> for freebsd-pf@freebsd.org; Thu, 19 Oct 2006 14:09:11 -0400 (EDT) Date: Thu, 19 Oct 2006 14:09:20 -0400 From: Martin Turgeon To: freebsd-pf@freebsd.org Message-id: <0J7E00AYPAFAK4C0@VL-MH-MR001.ip.videotron.ca> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-index: AcbzqbLWUxXFL6QYSjCAZLN9XIdJVA== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Details about tags X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 18:10:39 -0000 Hi, I was running PF with tags for a while but I learnt yesterday that the half of my config was useless. In fact, every out rules that were checking the tags were never triggered because of the keep state of the in rules. I followed the FAQ on the OpenBSD website (http://openbsd.org/faq/pf/tagging.html) but I think it's missing a modification on the state-policy to set it to if-bound so that the out rules are triggered. But then, what is the point of using tags? Thanks, Martin Here is the interesting sections of my pf.conf wan_if="fxp0" lan_if="em0" wls_if="ath0" vpn_if="tun0" ap_if="xl0" ### Scrub ### scrub on $wan_if all ### NAT ### nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if) nat pass on $wan_if from $wan_if to any -> ($wan_if) ### Default block ### block log all ### Definition des TAG ### # LAN interface pass in on $lan_if from $lan_if:network tag LAN_WAN keep state pass in on $lan_if from $lan_if:network to $wls_if:network \ tag LAN_WLS keep state pass in on $lan_if from $lan_if:network to $ap_if:network tag LAN_AP keep state pass in on $lan_if from $lan_if:network to ($vpn_if:network) tag LAN_VPN keep state # WLS interface pass in on $wls_if from $wls_if:network tag WLS_WAN keep state pass in on $wls_if from $wls_if:network to $lan_if:network \ tag WLS_LAN keep state pass in on $wls_if from $wls_if:network to $ap_if:network tag WLS_AP keep state pass in on $wls_if from $wls_if:network to ($vpn_if:network) tag WLS_VPN keep state # VPN interface pass in on $vpn_if from ($vpn_if:network) tag VPN_WAN keep state pass in on $vpn_if to $lan_if:network tag VPN_LAN keep state pass in on $vpn_if from ($vpn_if:network) to $ap_if:network tag VPN_AP keep state pass in on $vpn_if from ($vpn_if:network) to $wls_if:network tag VPN_WLS keep state # AP interface pass in on $ap_if from $ap_if:network tag AP_WAN keep state pass in on $ap_if from $ap_if:network to $lan_if:network tag AP_LAN keep state pass in on $ap_if from $ap_if:network to $wls_if:network tag AP_WLS keep state pass in on $ap_if from $ap_if:network to ($vpn_if:network) tag AP_VPN keep state ### Politiques de securite ### # IN pour WAN # OUT pour WAN pass out quick on $wan_if tagged LAN_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged WLS_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged VPN_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged AP_WAN_NAT flags S/SA keep state # OUT pour LAN pass out quick on $lan_if tagged WLS_LAN flags S/SA keep state pass out quick on $lan_if tagged WAN_WIKI flags S/SA keep state pass out quick on $lan_if tagged WAN_NOTRE_RDP flags S/SA keep state pass out quick on $lan_if tagged VPN_LAN flags S/SA keep state pass out quick on $lan_if tagged AP_LAN flags S/SA keep state pass out quick on $lan_if tagged WAN_BAREBONE flags S/SA keep state # OUT pour WLS pass out quick on $wls_if tagged LAN_WLS flags S/SA keep state pass out quick on $wls_if tagged VPN_WLS flags S/SA keep state pass out quick on $wls_if tagged AP_VPN flags S/SA keep state # OUT pour AP pass out quick on $ap_if tagged LAN_AP flags S/SA keep state pass out quick on $ap_if tagged VPN_AP flags S/SA keep state pass out quick on $ap_if tagged WLS_AP flags S/SA keep state pass out quick on $ap_if tagged WLS_AP_NAT flags S/SA keep state #pass out quick on $ap_if tagged WAN_JN flags S/SA keep state # OUT pour VPN pass out quick on $vpn_if tagged WLS_VPN flags S/SA keep state pass out quick on $vpn_if tagged LAN_VPN flags S/SA keep state pass out quick on $vpn_if tagged AP_VPN flags S/SA keep state