ICMP packets dropped for no obvious reason

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

ICMP packets dropped for no obvious reason

Hi friends,

An OpenBSD 6.7 router was rebooted recently and for some reason DHCP and
perhaps other services are no longer working. It is possible that this was a
result of running syspatch, which installed patches 10-12. But those patches
all seem to be unrelated.

The router has interfaces ix0 through ix3. I am seeing the problem on ix1 (
AP ) but not ix0 ( LAN ) or ix3 ( WAN ). There is no traffic on ix2.

I have reduced it down to a simple example of  not being able to pass in an
echo response on ix1 with these simplified rules:

ApIf ="ix1"

block return in log on $ApIf

pass in log quick on $ApIf \
        inet proto icmp all \
        label "AP ICMP ALL"

I started tcpdump to watch ICMP traffic on ix1. Then from the machine
running PF, ping an IP and see that responses are hitting the interface:

/root >> tcpdump -i ix1 icmp
tcpdump: listening on ix1, link-type EN10MB
07:28:15.917730 > icmp: echo request
07:28:15.918273 > icmp: echo reply
07:28:15.918350 > icmp: protocol 1 port
11584 unreachable
07:28:16.922060 > icmp: echo request
07:28:16.922443 > icmp: echo reply
07:28:16.922505 > icmp: protocol 1 port
56363 unreachable
07:28:17.912072 > icmp: echo request
07:28:17.912588 > icmp: echo reply
07:28:17.912652 > icmp: protocol 1 port
42489 unreachable

The unreachable message is confirmed by pflog0. I used " pfctl -vs rules"
and observed that the pass in rule is getting evaluated with each reply, but
never matches.

I can also confirm that ix1 really does have the address

        lladdr ac:1f:6b:b1:c5:95
        description: Access point(s)
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet netmask 0xffffff00 broadcast

Does anyone see what might be going wrong ?