From owner-freebsd-net@FreeBSD.ORG Mon Jul 14 19:57:27 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD826B4C for ; Mon, 14 Jul 2014 19:57:27 +0000 (UTC) Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8E8AB2CC6 for ; Mon, 14 Jul 2014 19:57:27 +0000 (UTC) Received: by mail-vc0-f172.google.com with SMTP id hq11so7088414vcb.17 for ; Mon, 14 Jul 2014 12:57:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=aCB0wxLcOfcDBdp58uw7Oww4r2z2tMwQfTD1SG/hpd4=; b=sQFS6cGKttCIe2u7ulTrmddaeFBpCcSEoxZifOIHOYxGqhWvixz/Ru9onJwPUjk1b7 owewlMp5+lVjCRdUuEi02IFChI+NVkhF8/ms+dY538NmLfovkKctmlD4G9YG5m8cFkiG 5DmDKZTuXIezJJPNytsaWlIQVL4pu+F8prefFkdVekW+TopZid4IM4rXEdLLpApS3QFk cGKZziuW3YMk+d7UxHFPAxZMy6jqEGoVWZZ+AoGGV6K68zgOWR+Rm7T2Tl0rr1SpgqJC ZxEkbLkW6Es7PZCHxtu4CQG1xQnVeX8VbSZ9y6SQfGAw5qGT2pP6IjqIfSLk7Ov2RO+x /woA== MIME-Version: 1.0 X-Received: by 10.220.44.141 with SMTP id a13mr131869vcf.71.1405367846576; Mon, 14 Jul 2014 12:57:26 -0700 (PDT) Received: by 10.220.249.132 with HTTP; Mon, 14 Jul 2014 12:57:26 -0700 (PDT) Date: Mon, 14 Jul 2014 15:57:26 -0400 Message-ID: Subject: ng_iface regression from 9.2 to 10.0 From: Zaphod Beeblebrox To: FreeBSD Net Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2014 19:57:27 -0000 I'm going to post again with some new information. I have a 10.0p6 machine running mpd5 terminating a bunch of l2tp tunnels from subscribers (not encrypted). The specific regression between 9.2 and 10.0 is that hosts on the tunnels cannot communicate with local services. They can ping local IPs, and the server can ping them, but no userland connections can be had. IE: [2:15:315]root@owl:~> ifconfig ng29 ng29: flags=88d1 metric 0 mtu 1436 inet xx.yy.31.6 --> xx.yy.16.50 netmask 0xffffffff inet6 fe80::219:b9ff:fef9:b9e7%ng29 prefixlen 64 scopeid 0x23 nd6 options=21 [2:16:316]root@owl:~> ping xx.yy.16.50 PING xx.yy.16.50 (xx.yy.16.50): 56 data bytes 64 bytes from xx.yy.16.50: icmp_seq=0 ttl=64 time=11.580 ms 64 bytes from xx.yy.16.50: icmp_seq=1 ttl=64 time=16.515 ms 64 bytes from xx.yy.16.50: icmp_seq=2 ttl=64 time=6.253 ms ^C --- xx.yy.16.50 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 6.253/11.449/16.515/4.190 ms [2:17:317]root@owl:~> ssh xx.yy.16.50 ssh: connect to host xx.yy.16.50 port 22: Operation timed out It's worth noting, too, that all tunnel-connected hosts have full internet connectivity as does the tunnel server. Connections from one hop away (ie: not involving the tunnel server to run the process) work as usual. It's also worth noting that localhost and local-ip communication on the server are fine (ie: mpd5 communicates with radiusd running on the same machine). For interest's sake, xx.yy.16.50 is running mpd5 on 9.2.