Date: Sat, 12 Jul 2003 21:10:30 +0200 From: Matt Douhan <mdouhan@fruitsalad.org> To: freebsd-net@freebsd.org Subject: very strange problem Message-ID: <200307122110.37349.mdouhan@fruitsalad.org>
next in thread | raw e-mail | index | archive | help
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello I am running FBSD on two firewalls in a scenario like below internet | =46W2 | DMZ | =46W1 | internal LAN =46W1 is running ipf and fw2 is running ipf and ipnat hosts on the DMZ can access the internet without problems, ping traceroute = and=20 mail, http all is working nicely and fast. hosts on the internal LAN however are seing VERY strange things for example, check this out 9:04pm mdouhan @ [persika] ~ > traceroute www.cisco.com traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets 1 192.168.15.254 (192.168.15.254) 0.698 ms 0.532 ms 0.410 ms 2 192.168.254.254 (192.168.254.254) 0.781 ms 0.757 ms 0.744 ms 3 gw-l3-ktv-hc.koping.net (81.16.160.113) 1.210 ms 1.203 ms 1.263 ms 4 gw-l3-ktv-it.koping.net (81.16.160.6) 1.546 ms 4.123 ms 1.272 ms 5 rif3-r1-jvg-kop.arrowhead.com (81.216.90.1) 3.336 ms 2.813 ms 2.649 = ms 6 www.cisco.com (198.133.219.25) 1.278 ms 2.610 ms 1.962 ms the host "persika" is connected on the internal LAN, and is located in Swed= en,=20 Europe and there is NO way it can get to www.cisco.com in 2-3 ms, and I don= t=20 have any caching or proxies or anything, besides traceroute does not care=20 about that anyway AFAIK same traceroute from a host on the DMZ shows the correct thing as follows 9:05pm mdouhan @ [ananas] ~ > traceroute www.cisco.com traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets 1 firewall2 (192.168.254.254) 0.671 ms 0.458 ms 0.438 ms 2 gw-l3-ktv-hc.koping.net (81.16.160.113) 0.901 ms 0.931 ms 0.878 ms 3 gw-l3-ktv-it.koping.net (81.16.160.6) 1.416 ms 1.191 ms 1.388 ms 4 rif3-r1-jvg-kop.arrowhead.com (81.216.90.1) 2.345 ms 2.080 ms 2.705 = ms 5 rif2-cr1-vf-kop.arrowhead.com (81.216.2.1) 1.973 ms 2.173 ms 2.263 ms 6 rif6-cr1-vf-vst.arrowhead.com (81.216.0.53) 3.785 ms 2.708 ms 2.540 = ms 7 rif3-cr1-vf-oby.arrowhead.com (213.187.195.97) 3.363 ms 16.022 ms 3.= 862=20 ms 8 rif47-rs1-t4-sto.arrowhead.com (213.187.195.93) 4.769 ms 4.396 ms 3.= 999=20 ms 9 rif5-cr3-kst-sto.arrowhead.com (81.216.0.137) 5.115 ms 4.624 ms 4.76= 2=20 ms 10 Gi14-1-kst-p1.sto.se.sn.net (81.216.0.113) 4.496 ms 4.577 ms 4.666 ms 11 pos2-0.vrt-p1.sto.se.sn.net (213.88.255.245) 4.687 ms 4.757 ms 4.806= ms 12 sl-gw20-sto-2-1.sprintlink.net (80.77.97.89) 4.575 ms 4.526 ms 4.576= ms 13 sl-bb21-sto-12-0.sprintlink.net (80.77.96.98) 4.969 ms 5.132 ms 5.52= 6=20 ms 14 sl-bb21-cop-12-0.sprintlink.net (213.206.129.33) 14.034 ms * 13.904 ms 15 sl-bb20-cop-15-0.sprintlink.net (80.77.64.33) 13.942 ms 13.498 ms =20 13.966 ms 16 sl-bb21-msq-10-0.sprintlink.net (144.232.19.29) 91.125 ms 102.015 ms = =20 93.908 ms 17 sl-bb22-rly-15-3.sprintlink.net (144.232.19.98) 96.692 ms 95.680 ms = =20 96.615 ms 18 sl-bb25-rly-12-0.sprintlink.net (144.232.14.166) 96.692 ms 95.879 ms = =20 95.900 ms 19 sl-bb23-sj-9-0.sprintlink.net (144.232.20.11) 227.115 ms 241.136 ms = =20 220.680 ms 20 sl-bb25-sj-14-0.sprintlink.net (144.232.3.250) 181.269 ms 173.322 ms = =20 164.253 ms 21 sl-gw11-sj-10-0.sprintlink.net (144.232.3.134) 172.763 ms 172.362 ms = =20 172.324 ms 22 sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14) 166.180 ms 166.028= ms =20 170.228 ms 23 sjck-dirty-gw1.cisco.com (128.107.239.5) 164.721 ms 166.063 ms 166.1= 74=20 ms 24 sjck-sdf-ciod-gw2.cisco.com (128.107.239.110) 172.908 ms 173.340 ms = =20 173.284 ms 25 www.cisco.com (198.133.219.25) 174.149 ms 174.768 ms * now here is where it gets really weird, I have tries reinstalling FW1 since= it=20 seems to be the cause of the problem, I have tries STABLE, CURRENT, 5.1-R a= ll=20 with the same result, it does NOT work. I have tried swapping FW1 and FW2 and the problem stays the same, so it see= ms=20 to be a misconfiguration on my part (or a bug but thats less likely I think= )=20 but I cannot figure out what it is. my rules are very simple on FW1 allow anything out on the external fxp interface with keep state so = it=20 can get back in. on FW2 I have a number of BIMAP statements and some NAT statements, BIMAP a= re=20 for the servers where we provide services such as mail, www and ftp. Any input or ideas would be highly appreciated, this is driving me crazy =2D --=20 =2D -----------------------------------------------------------------------= =2D------------ Matt Douhan www.fruitsalad.org CCIE #4004 *** ping elvis *** *** elvis is alive *** =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/EF0skU5PITZniCURArKOAJ9HuNWbWCJiV0PRMSpFCo5bv4P3aACfXhAn 9G8PqZQeZZ8RUIABr12VA5Q=3D =3DKda6 =2D----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307122110.37349.mdouhan>