From owner-freebsd-questions@FreeBSD.ORG Sat Aug 26 20:32:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A70716A77A for ; Sat, 26 Aug 2006 20:32:28 +0000 (UTC) (envelope-from jbronson@wixb.com) Received: from cheyenne.sixcompanies.com (cheyenne.sixcompanies.com [65.43.82.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEE3243F16 for ; Sat, 26 Aug 2006 20:01:35 +0000 (GMT) (envelope-from jbronson@wixb.com) Message-Id: <7.0.1.0.2.20060826150124.01982d10@sixcompanies.com> Date: Sat, 26 Aug 2006 15:02:10 -0500 To: freebsd-questions@freebsd.org From: "J.D. Bronson" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: ipfilter on 6.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 20:32:28 -0000 I got a full load of 6.1p4 installed and all built. I have pppoe and ipfilter running almost perfect. Clients can use the machine (as a router) and get out perfectly! No issues with network performance at all. I am very pleased...until... I found out that the router itself cant get out 100%. My ipconfig is basically this: bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias 10.43.82.51 - for bind9 views bge1 - connected to dsl modem well I cant even telnet from the machine to itself! 'destination unreachable' DNS requests from the server itself (to itself - it runs bind) are unanswered yet it is able to fully answer requests from internal or external clients...just not itself! If I use a public DNS server -or- use the IP of the machine I want to connect up to, the router is able to get out and uses the correct IP. I used the same configs from solaris on here (ipf.conf and ipnat.conf) and only needed to change sppp0 to tun0. this should take care of anything the machine itself needs: ============ipf.conf====================== # Pass LAN traffic to/from bge0 pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags ========================================== I am totally baffled. Its like I am being blocked somehow but even with ipfilter WIDE open - traffic still wont pass. I am wondering if this is some quirk with the interface aliases...although running the basic same setup on solaris - it works perfectly. -JD