OpenBSD not forwarding to specific sites

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenBSD not forwarding to specific sites

John Tate-8
I am having trouble with IP forwarding to specific sites on a very
typical configuration. The router itself can access these sites but
clients can not. I have looked in obvious places on the clients, but I
cannot find a cause. I reinstalled OpenBSD on the router after getting
SSL errors where SSL servers could not be reached from clients, and I
bought a cheap Netgear router to use which works fine ruling out that
my ISP is causing problems.

I really need to find out what is causing these issues with my
Internet it is something bizarre. My server I've literally only
changed the following files...

/etc/hostname.fxp0
/etc/hostname.athn0
/etc/hostname.pppoe0
/etc/hostname.xl0
/var/named/etc/named.conf
/etc/rndc.conf
/etc/resolv.conf
/etc/pf.conf
/etc/dhcpd.conf

These are all pretty straight forward so I don't understand what the
problem is. The existing SSL problem just came out of nowhere with no
changes.

# cat /etc/hostname.athn0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroAP chan 11 \
wpa wpakey FallInLove2013 wpaprotos wpa2
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev xl0 authproto pap \
authname '[hidden email]' authkey 'XXXXXXXX' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
# cat /etc/hostname.xl0
up

# cat /var/named/etc/named.conf
// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.


// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
        localnets;
        ::1;
};

options {
        version "";     // remove this to allow version queries

        listen-on    { 192.168.0.1; 192.168.1.1; 127.0.0.1; };
        listen-on-v6 { any; };

        forwarders   { 8.8.8.8; 8.8.4.4; };

        empty-zones-enable yes;

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
#zone "." {
#       type hint;
#       file "db.cache";
#};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
{
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};

#zone "kab.loc" {
#       type master;
#       file "master/kab.loc";
#};

#zone "0.168.192.in-addr.arpa" {
#       type master;
#       file "master/db.0.168.192";
#};

#zone "1.168.192.in-addr-arpa" {
#       type master;
#       file "master/db.1.168.192";
#};

// Master zones
//
//zone "myzone.net" {
//      type master;
//      file "master/myzone.net";
//};

// Slave zones
//
//zone "otherzone.net" {
//      type slave;
//      file "slave/otherzone.net";
//      masters { 192.0.2.1; [...;] };
//};

key "rndc-key" {
        algorithm hmac-md5;
        secret "XXXXXXX";
};

controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};

# cat /etc/pf.conf
#Firewall ruleset for KintaroABODE router.

int_if="fxp0"
wifi_if = "athn0"

tcp_services="{ 22, 113 }"
icmp_types="echoreq"

fekete="192.168.0.3"
fekete_tcp="{ 17001, 8333 }"
fekete_udp="{ 8333 }"
mises="192.168.0.4"
mises_tcp="{ 25565 }"

#options

set block-policy drop
set loginterface egress
set skip on lo

anchor "ftp-proxy/*"
pass in on $int_if inet proto tcp to any port ftp \
        divert-to 127.0.0.1 port 8021

table <sshguard> persist

#match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)

#filter rules
block in log
pass out quick

antispoof quick for { lo $int_if $wifi_if }

pass in on egress inet proto tcp from any to (egress) \
        port $tcp_services

block in quick on egress proto tcp from <sshguard> \
        to any port ssh label "ssh bruteforce"

pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $fekete_udp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $mises_tcp
rdr-to $mises

pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if

There is nothing related in the messages or daemon log.


# cat /var/log/daemon
Sep 30 22:23:08 menger savecore: no core dump
Sep 30 22:24:12 menger dhclient[31387]: DHCPREQUEST on fxp0 to
255.255.255.255 port 67
Sep 30 22:24:19 menger last message repeated 3 times
Sep 30 22:24:26 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 1
Sep 30 22:24:27 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 2
Sep 30 22:24:29 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 3
Sep 30 22:24:32 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 5
Sep 30 22:24:37 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 7
Sep 30 22:24:44 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 7
Sep 30 22:24:51 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 12
Sep 30 22:25:03 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 19
Sep 30 22:25:22 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 5
Sep 30 22:25:27 menger dhclient[31387]: No acceptable DHCPOFFERS received.
Sep 30 22:25:27 menger dhclient[31387]: Trying recorded lease 192.168.0.8
Sep 30 22:25:27 menger dhclient[31387]: bound: renewal in 43048 seconds.
Sep 30 22:26:12 menger dhclient[31387]: Active address (192.168.0.8)
deleted; exiting
Sep 30 22:30:08 menger savecore: no core dump
Sep 30 22:41:19 menger savecore: no core dump
Sep 30 22:41:21 menger dhcpd[23816]: Can't listen on YES - it has no IP address.
Sep 30 22:41:21 menger dhcpd[23816]: No interfaces to listen on.
Sep 30 22:41:21 menger dhcpd[23816]: exiting.
Sep 30 22:51:25 menger savecore: no core dump
Sep 30 22:51:27 menger dhcpd[25002]: Can't listen on YES - it has no IP address.
Sep 30 22:51:27 menger dhcpd[25002]: No interfaces to listen on.
Sep 30 22:51:27 menger dhcpd[25002]: exiting.
Sep 30 22:54:16 menger named[24322]: starting BIND 9.4.2-P2
Sep 30 22:54:18 menger named[24322]: loading configuration from
'/etc/named.conf'
Sep 30 22:54:18 menger named[24322]: listening on IPv6 interfaces, port 53
Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface lo0,
127.0.0.1#53
Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface
athn0, 192.168.1.1#53
Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface fxp0,
192.168.0.1#53
Sep 30 22:54:18 menger named[24322]: automatic empty zone: 254.169.IN-ADDR.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: D.F.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: A.E.F.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: automatic empty zone: B.E.F.IP6.ARPA
Sep 30 22:54:18 menger named[24322]: command channel listening on 127.0.0.1#953
Sep 30 22:54:18 menger named[24322]: using pre-chroot entropy source
/dev/arandom
Sep 30 22:54:18 menger named[24322]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 30 22:54:18 menger named[24322]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1
Sep 30 22:54:18 menger named[24322]: zone localhost/IN: loaded serial 1
Sep 30 22:54:18 menger named[24322]: running
Sep 30 22:54:19 menger savecore: no core dump
Sep 30 22:54:21 menger dhcpd[2793]: Can't listen on xl0 - it has no IP address.
Sep 30 22:57:03 menger named[21967]: starting BIND 9.4.2-P2
Sep 30 22:57:04 menger named[21967]: loading configuration from
'/etc/named.conf'
Sep 30 22:57:04 menger named[21967]: listening on IPv6 interfaces, port 53
Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface lo0,
127.0.0.1#53
Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface
athn0, 192.168.1.1#53
Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface fxp0,
192.168.0.1#53
Sep 30 22:57:04 menger named[21967]: automatic empty zone: 254.169.IN-ADDR.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: D.F.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: A.E.F.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: automatic empty zone: B.E.F.IP6.ARPA
Sep 30 22:57:04 menger named[21967]: command channel listening on 127.0.0.1#953
Sep 30 22:57:04 menger named[21967]: using pre-chroot entropy source
/dev/arandom
Sep 30 22:57:05 menger named[21967]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 30 22:57:05 menger named[21967]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1
Sep 30 22:57:05 menger named[21967]: zone localhost/IN: loaded serial 1
Sep 30 22:57:05 menger named[21967]: running
Sep 30 22:57:05 menger savecore: no core dump
Sep 30 22:57:16 menger dhcpd[25068]: DHCPREQUEST for 192.168.0.2 from
50:e5:49:ca:27:08 via fxp0
Sep 30 22:57:16 menger dhcpd[25068]: DHCPNAK on 192.168.0.2 to
50:e5:49:ca:27:08 via fxp0
Sep 30 22:57:16 menger dhcpd[25068]: DHCPDISCOVER from
50:e5:49:ca:27:08 via fxp0
Sep 30 22:57:16 menger dhcpd[25068]: DHCPOFFER on 192.168.0.4 to
50:e5:49:ca:27:08 via fxp0
Sep 30 22:57:16 menger dhcpd[25068]: DHCPREQUEST for 192.168.0.4 from
50:e5:49:ca:27:08 via fxp0
Sep 30 22:57:16 menger dhcpd[25068]: DHCPACK on 192.168.0.4 to
50:e5:49:ca:27:08 via fxp0
Sep 30 23:02:50 menger named[28834]: starting BIND 9.4.2-P2
Sep 30 23:02:51 menger named[28834]: loading configuration from
'/etc/named.conf'
Sep 30 23:02:51 menger named[28834]: listening on IPv6 interfaces, port 53
Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface lo0,
127.0.0.1#53
Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface
athn0, 192.168.1.1#53
Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface fxp0,
192.168.0.1#53
Sep 30 23:02:51 menger named[28834]: automatic empty zone: 254.169.IN-ADDR.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: D.F.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: A.E.F.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: automatic empty zone: B.E.F.IP6.ARPA
Sep 30 23:02:51 menger named[28834]: command channel listening on 127.0.0.1#953
Sep 30 23:02:51 menger named[28834]: using pre-chroot entropy source
/dev/arandom
Sep 30 23:02:51 menger named[28834]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 30 23:02:51 menger named[28834]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1
Sep 30 23:02:51 menger named[28834]: zone localhost/IN: loaded serial 1
Sep 30 23:02:51 menger named[28834]: running
Sep 30 23:02:51 menger savecore: no core dump
# cat /var/log/messages
Sep 30 23:00:01 menger newsyslog[10272]: logfile turned over
Sep 30 23:00:01 menger syslogd: restart
Sep 30 23:01:39 menger reboot: rebooted by john
Sep 30 23:01:40 menger syslogd: exiting on signal 15
Sep 30 23:02:48 menger syslogd: start
Sep 30 23:02:48 menger /bsd: OpenBSD 5.3 (GENERIC) #50: Tue Mar 12
18:35:23 MDT 2013
Sep 30 23:02:48 menger /bsd:
[hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
Sep 30 23:02:48 menger /bsd: cpu0: Intel Pentium III ("GenuineIntel"
686-class) 1 GHz
Sep 30 23:02:48 menger /bsd: cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,PSN,MMX,FXSR,SSE
Sep 30 23:02:48 menger /bsd: real mem  = 534278144 (509MB)
Sep 30 23:02:48 menger /bsd: avail mem = 514555904 (490MB)
Sep 30 23:02:48 menger /bsd: mainbus0 at root
Sep 30 23:02:48 menger /bsd: bios0 at mainbus0: AT/286+ BIOS, date
06/26/01, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (67
entries)
Sep 30 23:02:48 menger /bsd: bios0: vendor Dell Computer Corporation
version "A06" date 06/26/2001
Sep 30 23:02:48 menger /bsd: bios0: Dell Computer Corporation OptiPlex GX150
Sep 30 23:02:48 menger /bsd: apm0 at bios0: Power Management spec V1.2
Sep 30 23:02:48 menger /bsd: acpi at bios0 function 0x0 not configured
Sep 30 23:02:48 menger /bsd: pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
Sep 30 23:02:48 menger /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @
0xfbb40/208 (11 entries)
Sep 30 23:02:48 menger /bsd: pcibios0: PCI Interrupt Router at
000:31:0 ("Intel 82801BA LPC" rev 0x00)
Sep 30 23:02:48 menger /bsd: pcibios0: PCI bus #1 is the last bus
Sep 30 23:02:48 menger /bsd: bios0: ROM list: 0xc0000/0xa000 0xca000/0x2000
Sep 30 23:02:48 menger /bsd: cpu0 at mainbus0: (uniprocessor)
Sep 30 23:02:48 menger /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (bios)
Sep 30 23:02:48 menger /bsd: pchb0 at pci0 dev 0 function 0 "Intel
82815 Host" rev 0x04
Sep 30 23:02:48 menger /bsd: vga1 at pci0 dev 2 function 0 "Intel
82815 Video" rev 0x04
Sep 30 23:02:48 menger /bsd: wsdisplay0 at vga1 mux 1: console (80x25,
vt100 emulation)
Sep 30 23:02:48 menger /bsd: wsdisplay0: screen 1-5 added (80x25,
vt100 emulation)
Sep 30 23:02:48 menger /bsd: intagp0 at vga1
Sep 30 23:02:49 menger /bsd: agp0 at intagp0: aperture at 0xf4000000,
size 0x4000000
Sep 30 23:02:49 menger /bsd: ppb0 at pci0 dev 30 function 0 "Intel
82801BA Hub-to-PCI" rev 0x11
Sep 30 23:02:49 menger /bsd: pci1 at ppb0 bus 1
Sep 30 23:02:49 menger /bsd: 1:9:0: mem address conflict 0xf8000000/0x1000
Sep 30 23:02:49 menger /bsd: athn0 at pci1 dev 8 function 0 "Atheros
AR9227" rev 0x01: irq 10
Sep 30 23:02:49 menger /bsd: athn0: AR9287 rev 2 (1T1R), ROM rev 4,
address f8:1a:67:d6:28:40
Sep 30 23:02:49 menger /bsd: fxp0 at pci1 dev 9 function 0 "Intel
8255x" rev 0x02, i82557: irq 11, address 00:a0:c9:84:98:5f
Sep 30 23:02:49 menger /bsd: inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
Sep 30 23:02:49 menger /bsd: xl0 at pci1 dev 12 function 0 "3Com
3c905C 100Base-TX" rev 0x78: irq 11, address 00:06:5b:20:f0:b3
Sep 30 23:02:49 menger /bsd: exphy0 at xl0 phy 24: 3Com internal media interface
Sep 30 23:02:49 menger /bsd: ichpcib0 at pci0 dev 31 function 0 "Intel
82801BA LPC" rev 0x11: 24-bit timer at 3579545Hz
Sep 30 23:02:49 menger /bsd: pciide0 at pci0 dev 31 function 1 "Intel
82801BA IDE" rev 0x11: DMA, channel 0 wired to compatibility, channel
1 wired to compatibility
Sep 30 23:02:49 menger /bsd: wd0 at pciide0 channel 0 drive 0: <ST313021A>
Sep 30 23:02:49 menger /bsd: wd0: 32-sector PIO, LBA, 12419MB, 25434228 sectors
Sep 30 23:02:49 menger /bsd: wd0(pciide0:0:0): using PIO mode 4,
Ultra-DMA mode 4
Sep 30 23:02:49 menger /bsd: atapiscsi0 at pciide0 channel 1 drive 0
Sep 30 23:02:49 menger /bsd: scsibus0 at atapiscsi0: 2 targets
Sep 30 23:02:49 menger /bsd: cd0 at scsibus0 targ 0 lun 0: <LG, CD-ROM
CRD-8522B, 1.02> ATAPI 5/cdrom removable
Sep 30 23:02:49 menger /bsd: cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
Sep 30 23:02:49 menger /bsd: uhci0 at pci0 dev 31 function 2 "Intel
82801BA USB" rev 0x11: irq 11
Sep 30 23:02:49 menger /bsd: ichiic0 at pci0 dev 31 function 3 "Intel
82801BA SMBus" rev 0x11: SMBus disabled
Sep 30 23:02:50 menger /bsd: uhci1 at pci0 dev 31 function 4 "Intel
82801BA USB" rev 0x11: irq 11
Sep 30 23:02:50 menger /bsd: auich0 at pci0 dev 31 function 5 "Intel
82801BA AC97" rev 0x11: irq 10, ICH2 AC97
Sep 30 23:02:50 menger /bsd: ac97: codec id 0x41445360 (Analog Devices AD1885)
Sep 30 23:02:50 menger /bsd: ac97: codec features headphone, Analog
Devices Phat Stereo
Sep 30 23:02:50 menger /bsd: audio0 at auich0
Sep 30 23:02:50 menger /bsd: isa0 at ichpcib0
Sep 30 23:02:50 menger /bsd: isadma0 at isa0
Sep 30 23:02:50 menger /bsd: com0 at isa0 port 0x3f8/8 irq 4:
ns16550a, 16 byte fifo
Sep 30 23:02:50 menger /bsd: com0: console
Sep 30 23:02:50 menger /bsd: com1 at isa0 port 0x2f8/8 irq 3:
ns16550a, 16 byte fifo
Sep 30 23:02:50 menger /bsd: pckbc0 at isa0 port 0x60/5
Sep 30 23:02:50 menger /bsd: pckbd0 at pckbc0 (kbd slot)
Sep 30 23:02:50 menger /bsd: pckbc0: using irq 1 for kbd slot
Sep 30 23:02:50 menger /bsd: wskbd0 at pckbd0: console keyboard, using
wsdisplay0
Sep 30 23:02:50 menger /bsd: pcppi0 at isa0 port 0x61
Sep 30 23:02:50 menger /bsd: spkr0 at pcppi0
Sep 30 23:02:50 menger /bsd: lpt0 at isa0 port 0x378/4 irq 7
Sep 30 23:02:50 menger /bsd: npx0 at isa0 port 0xf0/16: reported by
CPUID; using exception 16
Sep 30 23:02:50 menger /bsd: fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
Sep 30 23:02:50 menger /bsd: fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
Sep 30 23:02:50 menger /bsd: usb0 at uhci0: USB revision 1.0
Sep 30 23:02:50 menger /bsd: uhub0 at usb0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
Sep 30 23:02:50 menger /bsd: usb1 at uhci1: USB revision 1.0
Sep 30 23:02:50 menger /bsd: uhub1 at usb1 "Intel UHCI root hub" rev
1.00/1.00 addr 1
Sep 30 23:02:50 menger /bsd: mtrr: Pentium Pro MTRR support
Sep 30 23:02:50 menger /bsd: vscsi0 at root
Sep 30 23:02:50 menger /bsd: scsibus1 at vscsi0: 256 targets
Sep 30 23:02:51 menger /bsd: softraid0 at root
Sep 30 23:02:51 menger /bsd: scsibus2 at softraid0: 256 targets
Sep 30 23:02:51 menger /bsd: root on wd0a (31fe7fcca56ecb48.a) swap on
wd0b dump on wd0b
Sep 30 23:02:50 menger named[28834]: starting BIND 9.4.2-P2
Sep 30 23:02:51 menger named[28834]: command channel listening on 127.0.0.1#953
Sep 30 23:02:51 menger named[28834]: running
Sep 30 23:02:51 menger savecore: no core dump

I can ping www.google.com.au and load the page in lynx from the router
but not from other machines. Whereas I can use gmail like I am at the
moment fine. This is a very, very strange bug I am experiencing.

--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

Darren Tucker
On Mon, Sep 30, 2013 at 11:18:55PM +1000, John Tate wrote:

> I am having trouble with IP forwarding to specific sites on a very
> typical configuration. The router itself can access these sites but
> clients can not. I have looked in obvious places on the clients, but I
> cannot find a cause. I reinstalled OpenBSD on the router after getting
> SSL errors where SSL servers could not be reached from clients, and I
> bought a cheap Netgear router to use which works fine ruling out that
> my ISP is causing problems.
>
> I really need to find out what is causing these issues with my
> Internet it is something bizarre. My server I've literally only
> changed the following files...
>
> /etc/hostname.fxp0
> /etc/hostname.athn0
> /etc/hostname.pppoe0
> /etc/hostname.xl0
> /var/named/etc/named.conf
> /etc/rndc.conf
> /etc/resolv.conf
> /etc/pf.conf
> /etc/dhcpd.conf

Is IP forwarding (net.inet.ip.forwarding=1) on?  It's in sysctl.conf
(not in that list) and it's off by default.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

Vijay Sankar
In reply to this post by John Tate-8
Quoting John Tate <[hidden email]>:

> I am having trouble with IP forwarding to specific sites on a very
> typical configuration. The router itself can access these sites but
> clients can not. I have looked in obvious places on the clients, but I
> cannot find a cause. I reinstalled OpenBSD on the router after getting
> SSL errors where SSL servers could not be reached from clients, and I
> bought a cheap Netgear router to use which works fine ruling out that
> my ISP is causing problems.
>
> I really need to find out what is causing these issues with my
> Internet it is something bizarre. My server I've literally only
> changed the following files...
>
> /etc/hostname.fxp0
> /etc/hostname.athn0
> /etc/hostname.pppoe0
> /etc/hostname.xl0
> /var/named/etc/named.conf
> /etc/rndc.conf
> /etc/resolv.conf
> /etc/pf.conf
> /etc/dhcpd.conf
>
> These are all pretty straight forward so I don't understand what the
> problem is. The existing SSL problem just came out of nowhere with no
> changes.
>
> # cat /etc/hostname.athn0
> inet 192.168.1.1 255.255.255.0 192.168.1.255
> up media autoselect mode 11g mediaopt hostap nwid KintaroAP chan 11 \
> wpa wpakey FallInLove2013 wpaprotos wpa2
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev xl0 authproto pap \
> authname '[hidden email]' authkey 'XXXXXXXX' up
> dest 0.0.0.1
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> # cat /etc/hostname.xl0
> up
>
> # cat /var/named/etc/named.conf
> // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
> //
> // Example file for a simple named configuration, processing both
> // recursive and authoritative queries using one cache.
>
>
> // Update this list to include only the networks for which you want
> // to execute recursive queries. The default setting allows all hosts
> // on any IPv4 networks for which the system has an interface, and
> // the IPv6 localhost address.
> //
> acl clients {
>         localnets;
>         ::1;
> };
>
> options {
>         version "";     // remove this to allow version queries
>
>         listen-on    { 192.168.0.1; 192.168.1.1; 127.0.0.1; };
>         listen-on-v6 { any; };
>
>         forwarders   { 8.8.8.8; 8.8.4.4; };
>
>         empty-zones-enable yes;
>
>         allow-recursion { clients; };
> };
>
> logging {
>         category lame-servers { null; };
> };
>
> // Standard zones
> //
> #zone "." {
> #       type hint;
> #       file "db.cache";
> #};
>
> zone "localhost" {
>         type master;
>         file "standard/localhost";
>         allow-transfer { localhost; };
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "standard/loopback";
>         allow-transfer { localhost; };
> };
>
> zone  
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> {
>         type master;
>         file "standard/loopback6.arpa";
>         allow-transfer { localhost; };
> };
>
> #zone "kab.loc" {
> #       type master;
> #       file "master/kab.loc";
> #};
>
> #zone "0.168.192.in-addr.arpa" {
> #       type master;
> #       file "master/db.0.168.192";
> #};
>
> #zone "1.168.192.in-addr-arpa" {
> #       type master;
> #       file "master/db.1.168.192";
> #};
>
> // Master zones
> //
> //zone "myzone.net" {
> //      type master;
> //      file "master/myzone.net";
> //};
>
> // Slave zones
> //
> //zone "otherzone.net" {
> //      type slave;
> //      file "slave/otherzone.net";
> //      masters { 192.0.2.1; [...;] };
> //};
>
> key "rndc-key" {
>         algorithm hmac-md5;
>         secret "XXXXXXX";
> };
>
> controls {
>       inet 127.0.0.1 port 953
>               allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> # cat /etc/pf.conf
> #Firewall ruleset for KintaroABODE router.
>
> int_if="fxp0"
> wifi_if = "athn0"
>
> tcp_services="{ 22, 113 }"
> icmp_types="echoreq"
>
> fekete="192.168.0.3"
> fekete_tcp="{ 17001, 8333 }"
> fekete_udp="{ 8333 }"
> mises="192.168.0.4"
> mises_tcp="{ 25565 }"
>
> #options
>
> set block-policy drop
> set loginterface egress
> set skip on lo
>
> anchor "ftp-proxy/*"
> pass in on $int_if inet proto tcp to any port ftp \
>         divert-to 127.0.0.1 port 8021
>
> table <sshguard> persist
>
> #match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> #filter rules
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if $wifi_if }
>
> pass in on egress inet proto tcp from any to (egress) \
>         port $tcp_services
>
> block in quick on egress proto tcp from <sshguard> \
>         to any port ssh label "ssh bruteforce"
>
> pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
> rdr-to $fekete
> pass in on egress inet proto tcp from any to (egress) port $fekete_udp
> rdr-to $fekete
> pass in on egress inet proto tcp from any to (egress) port $mises_tcp
> rdr-to $mises
>
> pass in inet proto icmp all icmp-type $icmp_types
> pass in on $int_if
> pass in on $wifi_if
>
> There is nothing related in the messages or daemon log.
>
>
> # cat /var/log/daemon
> Sep 30 22:23:08 menger savecore: no core dump
> Sep 30 22:24:12 menger dhclient[31387]: DHCPREQUEST on fxp0 to
> 255.255.255.255 port 67
> Sep 30 22:24:19 menger last message repeated 3 times
> Sep 30 22:24:26 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 1
> Sep 30 22:24:27 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 2
> Sep 30 22:24:29 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 3
> Sep 30 22:24:32 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 5
> Sep 30 22:24:37 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 7
> Sep 30 22:24:44 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 7
> Sep 30 22:24:51 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 12
> Sep 30 22:25:03 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 19
> Sep 30 22:25:22 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
> 255.255.255.255 port 67 interval 5
> Sep 30 22:25:27 menger dhclient[31387]: No acceptable DHCPOFFERS received.
> Sep 30 22:25:27 menger dhclient[31387]: Trying recorded lease 192.168.0.8
> Sep 30 22:25:27 menger dhclient[31387]: bound: renewal in 43048 seconds.
> Sep 30 22:26:12 menger dhclient[31387]: Active address (192.168.0.8)
> deleted; exiting
> Sep 30 22:30:08 menger savecore: no core dump
> Sep 30 22:41:19 menger savecore: no core dump
> Sep 30 22:41:21 menger dhcpd[23816]: Can't listen on YES - it has no  
> IP address.
> Sep 30 22:41:21 menger dhcpd[23816]: No interfaces to listen on.
> Sep 30 22:41:21 menger dhcpd[23816]: exiting.
> Sep 30 22:51:25 menger savecore: no core dump
> Sep 30 22:51:27 menger dhcpd[25002]: Can't listen on YES - it has no  
> IP address.
> Sep 30 22:51:27 menger dhcpd[25002]: No interfaces to listen on.
> Sep 30 22:51:27 menger dhcpd[25002]: exiting.
> Sep 30 22:54:16 menger named[24322]: starting BIND 9.4.2-P2
> Sep 30 22:54:18 menger named[24322]: loading configuration from
> '/etc/named.conf'
> Sep 30 22:54:18 menger named[24322]: listening on IPv6 interfaces, port 53
> Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface lo0,
> 127.0.0.1#53
> Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface
> athn0, 192.168.1.1#53
> Sep 30 22:54:18 menger named[24322]: listening on IPv4 interface fxp0,
> 192.168.0.1#53
> Sep 30 22:54:18 menger named[24322]: automatic empty zone:  
> 254.169.IN-ADDR.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone:  
> 2.0.192.IN-ADDR.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone:
> 255.255.255.255.IN-ADDR.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone: D.F.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone: 8.E.F.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone: 9.E.F.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone: A.E.F.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: automatic empty zone: B.E.F.IP6.ARPA
> Sep 30 22:54:18 menger named[24322]: command channel listening on  
> 127.0.0.1#953
> Sep 30 22:54:18 menger named[24322]: using pre-chroot entropy source
> /dev/arandom
> Sep 30 22:54:18 menger named[24322]: zone 127.in-addr.arpa/IN:  
> loaded serial 1
> Sep 30 22:54:18 menger named[24322]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
> loaded serial 1
> Sep 30 22:54:18 menger named[24322]: zone localhost/IN: loaded serial 1
> Sep 30 22:54:18 menger named[24322]: running
> Sep 30 22:54:19 menger savecore: no core dump
> Sep 30 22:54:21 menger dhcpd[2793]: Can't listen on xl0 - it has no  
> IP address.
> Sep 30 22:57:03 menger named[21967]: starting BIND 9.4.2-P2
> Sep 30 22:57:04 menger named[21967]: loading configuration from
> '/etc/named.conf'
> Sep 30 22:57:04 menger named[21967]: listening on IPv6 interfaces, port 53
> Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface lo0,
> 127.0.0.1#53
> Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface
> athn0, 192.168.1.1#53
> Sep 30 22:57:04 menger named[21967]: listening on IPv4 interface fxp0,
> 192.168.0.1#53
> Sep 30 22:57:04 menger named[21967]: automatic empty zone:  
> 254.169.IN-ADDR.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone:  
> 2.0.192.IN-ADDR.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone:
> 255.255.255.255.IN-ADDR.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone: D.F.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone: 8.E.F.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone: 9.E.F.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone: A.E.F.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: automatic empty zone: B.E.F.IP6.ARPA
> Sep 30 22:57:04 menger named[21967]: command channel listening on  
> 127.0.0.1#953
> Sep 30 22:57:04 menger named[21967]: using pre-chroot entropy source
> /dev/arandom
> Sep 30 22:57:05 menger named[21967]: zone 127.in-addr.arpa/IN:  
> loaded serial 1
> Sep 30 22:57:05 menger named[21967]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
> loaded serial 1
> Sep 30 22:57:05 menger named[21967]: zone localhost/IN: loaded serial 1
> Sep 30 22:57:05 menger named[21967]: running
> Sep 30 22:57:05 menger savecore: no core dump
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPREQUEST for 192.168.0.2 from
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPNAK on 192.168.0.2 to
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPDISCOVER from
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPOFFER on 192.168.0.4 to
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPREQUEST for 192.168.0.4 from
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 22:57:16 menger dhcpd[25068]: DHCPACK on 192.168.0.4 to
> 50:e5:49:ca:27:08 via fxp0
> Sep 30 23:02:50 menger named[28834]: starting BIND 9.4.2-P2
> Sep 30 23:02:51 menger named[28834]: loading configuration from
> '/etc/named.conf'
> Sep 30 23:02:51 menger named[28834]: listening on IPv6 interfaces, port 53
> Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface lo0,
> 127.0.0.1#53
> Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface
> athn0, 192.168.1.1#53
> Sep 30 23:02:51 menger named[28834]: listening on IPv4 interface fxp0,
> 192.168.0.1#53
> Sep 30 23:02:51 menger named[28834]: automatic empty zone:  
> 254.169.IN-ADDR.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone:  
> 2.0.192.IN-ADDR.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone:
> 255.255.255.255.IN-ADDR.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone: D.F.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone: 8.E.F.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone: 9.E.F.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone: A.E.F.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: automatic empty zone: B.E.F.IP6.ARPA
> Sep 30 23:02:51 menger named[28834]: command channel listening on  
> 127.0.0.1#953
> Sep 30 23:02:51 menger named[28834]: using pre-chroot entropy source
> /dev/arandom
> Sep 30 23:02:51 menger named[28834]: zone 127.in-addr.arpa/IN:  
> loaded serial 1
> Sep 30 23:02:51 menger named[28834]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
> loaded serial 1
> Sep 30 23:02:51 menger named[28834]: zone localhost/IN: loaded serial 1
> Sep 30 23:02:51 menger named[28834]: running
> Sep 30 23:02:51 menger savecore: no core dump
> # cat /var/log/messages
> Sep 30 23:00:01 menger newsyslog[10272]: logfile turned over
> Sep 30 23:00:01 menger syslogd: restart
> Sep 30 23:01:39 menger reboot: rebooted by john
> Sep 30 23:01:40 menger syslogd: exiting on signal 15
> Sep 30 23:02:48 menger syslogd: start
> Sep 30 23:02:48 menger /bsd: OpenBSD 5.3 (GENERIC) #50: Tue Mar 12
> 18:35:23 MDT 2013
> Sep 30 23:02:48 menger /bsd:
> [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
> Sep 30 23:02:48 menger /bsd: cpu0: Intel Pentium III ("GenuineIntel"
> 686-class) 1 GHz
> Sep 30 23:02:48 menger /bsd: cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,PSN,MMX,FXSR,SSE
> Sep 30 23:02:48 menger /bsd: real mem  = 534278144 (509MB)
> Sep 30 23:02:48 menger /bsd: avail mem = 514555904 (490MB)
> Sep 30 23:02:48 menger /bsd: mainbus0 at root
> Sep 30 23:02:48 menger /bsd: bios0 at mainbus0: AT/286+ BIOS, date
> 06/26/01, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (67
> entries)
> Sep 30 23:02:48 menger /bsd: bios0: vendor Dell Computer Corporation
> version "A06" date 06/26/2001
> Sep 30 23:02:48 menger /bsd: bios0: Dell Computer Corporation OptiPlex GX150
> Sep 30 23:02:48 menger /bsd: apm0 at bios0: Power Management spec V1.2
> Sep 30 23:02:48 menger /bsd: acpi at bios0 function 0x0 not configured
> Sep 30 23:02:48 menger /bsd: pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
> Sep 30 23:02:48 menger /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @
> 0xfbb40/208 (11 entries)
> Sep 30 23:02:48 menger /bsd: pcibios0: PCI Interrupt Router at
> 000:31:0 ("Intel 82801BA LPC" rev 0x00)
> Sep 30 23:02:48 menger /bsd: pcibios0: PCI bus #1 is the last bus
> Sep 30 23:02:48 menger /bsd: bios0: ROM list: 0xc0000/0xa000 0xca000/0x2000
> Sep 30 23:02:48 menger /bsd: cpu0 at mainbus0: (uniprocessor)
> Sep 30 23:02:48 menger /bsd: pci0 at mainbus0 bus 0: configuration  
> mode 1 (bios)
> Sep 30 23:02:48 menger /bsd: pchb0 at pci0 dev 0 function 0 "Intel
> 82815 Host" rev 0x04
> Sep 30 23:02:48 menger /bsd: vga1 at pci0 dev 2 function 0 "Intel
> 82815 Video" rev 0x04
> Sep 30 23:02:48 menger /bsd: wsdisplay0 at vga1 mux 1: console (80x25,
> vt100 emulation)
> Sep 30 23:02:48 menger /bsd: wsdisplay0: screen 1-5 added (80x25,
> vt100 emulation)
> Sep 30 23:02:48 menger /bsd: intagp0 at vga1
> Sep 30 23:02:49 menger /bsd: agp0 at intagp0: aperture at 0xf4000000,
> size 0x4000000
> Sep 30 23:02:49 menger /bsd: ppb0 at pci0 dev 30 function 0 "Intel
> 82801BA Hub-to-PCI" rev 0x11
> Sep 30 23:02:49 menger /bsd: pci1 at ppb0 bus 1
> Sep 30 23:02:49 menger /bsd: 1:9:0: mem address conflict 0xf8000000/0x1000
> Sep 30 23:02:49 menger /bsd: athn0 at pci1 dev 8 function 0 "Atheros
> AR9227" rev 0x01: irq 10
> Sep 30 23:02:49 menger /bsd: athn0: AR9287 rev 2 (1T1R), ROM rev 4,
> address f8:1a:67:d6:28:40
> Sep 30 23:02:49 menger /bsd: fxp0 at pci1 dev 9 function 0 "Intel
> 8255x" rev 0x02, i82557: irq 11, address 00:a0:c9:84:98:5f
> Sep 30 23:02:49 menger /bsd: inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
> Sep 30 23:02:49 menger /bsd: xl0 at pci1 dev 12 function 0 "3Com
> 3c905C 100Base-TX" rev 0x78: irq 11, address 00:06:5b:20:f0:b3
> Sep 30 23:02:49 menger /bsd: exphy0 at xl0 phy 24: 3Com internal  
> media interface
> Sep 30 23:02:49 menger /bsd: ichpcib0 at pci0 dev 31 function 0 "Intel
> 82801BA LPC" rev 0x11: 24-bit timer at 3579545Hz
> Sep 30 23:02:49 menger /bsd: pciide0 at pci0 dev 31 function 1 "Intel
> 82801BA IDE" rev 0x11: DMA, channel 0 wired to compatibility, channel
> 1 wired to compatibility
> Sep 30 23:02:49 menger /bsd: wd0 at pciide0 channel 0 drive 0: <ST313021A>
> Sep 30 23:02:49 menger /bsd: wd0: 32-sector PIO, LBA, 12419MB,  
> 25434228 sectors
> Sep 30 23:02:49 menger /bsd: wd0(pciide0:0:0): using PIO mode 4,
> Ultra-DMA mode 4
> Sep 30 23:02:49 menger /bsd: atapiscsi0 at pciide0 channel 1 drive 0
> Sep 30 23:02:49 menger /bsd: scsibus0 at atapiscsi0: 2 targets
> Sep 30 23:02:49 menger /bsd: cd0 at scsibus0 targ 0 lun 0: <LG, CD-ROM
> CRD-8522B, 1.02> ATAPI 5/cdrom removable
> Sep 30 23:02:49 menger /bsd: cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
> Sep 30 23:02:49 menger /bsd: uhci0 at pci0 dev 31 function 2 "Intel
> 82801BA USB" rev 0x11: irq 11
> Sep 30 23:02:49 menger /bsd: ichiic0 at pci0 dev 31 function 3 "Intel
> 82801BA SMBus" rev 0x11: SMBus disabled
> Sep 30 23:02:50 menger /bsd: uhci1 at pci0 dev 31 function 4 "Intel
> 82801BA USB" rev 0x11: irq 11
> Sep 30 23:02:50 menger /bsd: auich0 at pci0 dev 31 function 5 "Intel
> 82801BA AC97" rev 0x11: irq 10, ICH2 AC97
> Sep 30 23:02:50 menger /bsd: ac97: codec id 0x41445360 (Analog  
> Devices AD1885)
> Sep 30 23:02:50 menger /bsd: ac97: codec features headphone, Analog
> Devices Phat Stereo
> Sep 30 23:02:50 menger /bsd: audio0 at auich0
> Sep 30 23:02:50 menger /bsd: isa0 at ichpcib0
> Sep 30 23:02:50 menger /bsd: isadma0 at isa0
> Sep 30 23:02:50 menger /bsd: com0 at isa0 port 0x3f8/8 irq 4:
> ns16550a, 16 byte fifo
> Sep 30 23:02:50 menger /bsd: com0: console
> Sep 30 23:02:50 menger /bsd: com1 at isa0 port 0x2f8/8 irq 3:
> ns16550a, 16 byte fifo
> Sep 30 23:02:50 menger /bsd: pckbc0 at isa0 port 0x60/5
> Sep 30 23:02:50 menger /bsd: pckbd0 at pckbc0 (kbd slot)
> Sep 30 23:02:50 menger /bsd: pckbc0: using irq 1 for kbd slot
> Sep 30 23:02:50 menger /bsd: wskbd0 at pckbd0: console keyboard, using
> wsdisplay0
> Sep 30 23:02:50 menger /bsd: pcppi0 at isa0 port 0x61
> Sep 30 23:02:50 menger /bsd: spkr0 at pcppi0
> Sep 30 23:02:50 menger /bsd: lpt0 at isa0 port 0x378/4 irq 7
> Sep 30 23:02:50 menger /bsd: npx0 at isa0 port 0xf0/16: reported by
> CPUID; using exception 16
> Sep 30 23:02:50 menger /bsd: fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> Sep 30 23:02:50 menger /bsd: fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2  
> head, 18 sec
> Sep 30 23:02:50 menger /bsd: usb0 at uhci0: USB revision 1.0
> Sep 30 23:02:50 menger /bsd: uhub0 at usb0 "Intel UHCI root hub" rev
> 1.00/1.00 addr 1
> Sep 30 23:02:50 menger /bsd: usb1 at uhci1: USB revision 1.0
> Sep 30 23:02:50 menger /bsd: uhub1 at usb1 "Intel UHCI root hub" rev
> 1.00/1.00 addr 1
> Sep 30 23:02:50 menger /bsd: mtrr: Pentium Pro MTRR support
> Sep 30 23:02:50 menger /bsd: vscsi0 at root
> Sep 30 23:02:50 menger /bsd: scsibus1 at vscsi0: 256 targets
> Sep 30 23:02:51 menger /bsd: softraid0 at root
> Sep 30 23:02:51 menger /bsd: scsibus2 at softraid0: 256 targets
> Sep 30 23:02:51 menger /bsd: root on wd0a (31fe7fcca56ecb48.a) swap on
> wd0b dump on wd0b
> Sep 30 23:02:50 menger named[28834]: starting BIND 9.4.2-P2
> Sep 30 23:02:51 menger named[28834]: command channel listening on  
> 127.0.0.1#953
> Sep 30 23:02:51 menger named[28834]: running
> Sep 30 23:02:51 menger savecore: no core dump
>
> I can ping www.google.com.au and load the page in lynx from the router
> but not from other machines. Whereas I can use gmail like I am at the
> moment fine. This is a very, very strange bug I am experiencing.
>
> --
> www.johntate.org
>
>

I would like to suggest the following -- make sure that forwarding is  
enabled and there is an IP address on fxp0 -- your internal interface.

Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
[hidden email]

---------------------------------------------
This message was sent using ForeTell-POST 4.9

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

Denis Fondras
Hi,

Le 30/09/2013 15:41, Vijay Sankar a écrit :
> Quoting John Tate <[hidden email]>:
>> I can ping www.google.com.au and load the page in lynx from the router
>> but not from other machines. Whereas I can use gmail like I am at the
>> moment fine. This is a very, very strange bug I am experiencing.
>>


I would have thought of a MTU problem at first but being able to use
Gmail might prove me wrong.

Denis

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

James Shupe-4
In reply to this post by John Tate-8
On 2013-09-30 08:18, John Tate wrote:
> I am having trouble with IP forwarding to specific sites on a very
> typical configuration. The router itself can access these sites but
> clients can not. I have looked in obvious places on the clients, but I
> cannot find a cause. I reinstalled OpenBSD on the router after getting
> SSL errors where SSL servers could not be reached from clients, and I
> bought a cheap Netgear router to use which works fine ruling out that
> my ISP is causing problems.
>

Have you tried setting your max-mss to something like 1440 or 1400?

Usually that's necessary with DSL... or else you end up with very
selective browsing.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
It would help if you told me how to do this...

# ifconfig pppoe max-mms 1400
ifconfig: max-mms: bad value
# ifconfig pppoe0 max-mms 1440
ifconfig: max-mms: bad value

On Mon, Sep 30, 2013 at 11:53 PM, James Shupe <[hidden email]> wrote:

> On 2013-09-30 08:18, John Tate wrote:
>>
>> I am having trouble with IP forwarding to specific sites on a very
>> typical configuration. The router itself can access these sites but
>> clients can not. I have looked in obvious places on the clients, but I
>> cannot find a cause. I reinstalled OpenBSD on the router after getting
>> SSL errors where SSL servers could not be reached from clients, and I
>> bought a cheap Netgear router to use which works fine ruling out that
>> my ISP is causing problems.
>>
>
> Have you tried setting your max-mss to something like 1440 or 1400?
>
> Usually that's necessary with DSL... or else you end up with very selective
> browsing.
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
In reply to this post by James Shupe-4
Found it:
While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
default and takes care of this, pppoe users have to rely on other
methods.  Using a packet filter, the maximum segment size (MSS) can be
set (clamped) to the required value.  The following rule in pf.conf(5)
would set the MSS to 1440:

match on pppoe0 scrub (max-mss 1440)

On Mon, Sep 30, 2013 at 11:53 PM, James Shupe <[hidden email]> wrote:

> On 2013-09-30 08:18, John Tate wrote:
>>
>> I am having trouble with IP forwarding to specific sites on a very
>> typical configuration. The router itself can access these sites but
>> clients can not. I have looked in obvious places on the clients, but I
>> cannot find a cause. I reinstalled OpenBSD on the router after getting
>> SSL errors where SSL servers could not be reached from clients, and I
>> bought a cheap Netgear router to use which works fine ruling out that
>> my ISP is causing problems.
>>
>
> Have you tried setting your max-mss to something like 1440 or 1400?
>
> Usually that's necessary with DSL... or else you end up with very selective
> browsing.
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
This part of the manual is out of date and the syntax does not work
with pf in OpenBSD 5.3:

While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
default and takes care of this, pppoe users have to rely on other
methods.  Using a packet filter, the maximum segment size (MSS) can be
set (clamped) to the required value.  The following rule in pf.conf(5)
would set the MSS to 1440:

match on pppoe0 scrub (max-mss 1440)

The documentation on pf.conf suggests doing much the same in it's
example and it doesn't work.

On Tue, Oct 1, 2013 at 2:07 AM, John Tate <[hidden email]> wrote:

> Found it:
> While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
> default and takes care of this, pppoe users have to rely on other
> methods.  Using a packet filter, the maximum segment size (MSS) can be
> set (clamped) to the required value.  The following rule in pf.conf(5)
> would set the MSS to 1440:
>
> match on pppoe0 scrub (max-mss 1440)
>
> On Mon, Sep 30, 2013 at 11:53 PM, James Shupe <[hidden email]> wrote:
>> On 2013-09-30 08:18, John Tate wrote:
>>>
>>> I am having trouble with IP forwarding to specific sites on a very
>>> typical configuration. The router itself can access these sites but
>>> clients can not. I have looked in obvious places on the clients, but I
>>> cannot find a cause. I reinstalled OpenBSD on the router after getting
>>> SSL errors where SSL servers could not be reached from clients, and I
>>> bought a cheap Netgear router to use which works fine ruling out that
>>> my ISP is causing problems.
>>>
>>
>> Have you tried setting your max-mss to something like 1440 or 1400?
>>
>> Usually that's necessary with DSL... or else you end up with very selective
>> browsing.
>>
>
>
>
> --
> www.johntate.org



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

James Shupe-4
On 2013-09-30 11:12, John Tate wrote:

> This part of the manual is out of date and the syntax does not work
> with pf in OpenBSD 5.3:
>
> While pppoe(8) has an internal option, ``mssfixup'', which is enabled
> by
> default and takes care of this, pppoe users have to rely on other
> methods.  Using a packet filter, the maximum segment size (MSS) can be
> set (clamped) to the required value.  The following rule in pf.conf(5)
> would set the MSS to 1440:
>
> match on pppoe0 scrub (max-mss 1440)
>

It works fine for me on several boxes with 5.3.

$ uname -smr
OpenBSD 5.3 amd64
$ sudo pfctl -sr | grep 'max-mss 1440'
match on pppoe0 all scrub (max-mss 1440)

--
James Shupe

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
In reply to this post by John Tate-8
Well max-mss doesn't seem to help I can still only access gmail and
not google.com.au. Also it has become suddenly selective after months
with no problem so I wonder if this is the default these days. Still
problems.

On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]> wrote:

> On 2013-09-30 10:58, John Tate wrote:
>>
>> It would help if you told me how to do this...
>>
>> # ifconfig pppoe max-mms 1400
>> ifconfig: max-mms: bad value
>> # ifconfig pppoe0 max-mms 1440
>> ifconfig: max-mms: bad value
>>
>
> match on $ext scrub (max-mss 1400)
>
> in /etc/pf.conf
>
> Also, don't top post.
>
> --
> James Shupe
>
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]> wrote:
> set reassemble yes no-df
>
> I tried using match and scrub rules without luck, but the 'reassemble yes
> no-df' solved my problems with the GRE tunnels we use among networks.
>
> Just make sure you dont have set skip on pppoe0
>
> -luis
Just trying this, something got through for a second but once again
queries to google and other sites don't work. It is still unreliable.

>
>
>
> On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]> wrote:
>>
>> Well max-mss doesn't seem to help I can still only access gmail and
>> not google.com.au. Also it has become suddenly selective after months
>> with no problem so I wonder if this is the default these days. Still
>> problems.
>>
>> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]> wrote:
>> > On 2013-09-30 10:58, John Tate wrote:
>> >>
>> >> It would help if you told me how to do this...
>> >>
>> >> # ifconfig pppoe max-mms 1400
>> >> ifconfig: max-mms: bad value
>> >> # ifconfig pppoe0 max-mms 1440
>> >> ifconfig: max-mms: bad value
>> >>
>> >
>> > match on $ext scrub (max-mss 1400)
>> >
>> > in /etc/pf.conf
>> >
>> > Also, don't top post.
>> >
>> > --
>> > James Shupe
>> >
>> >
>>
>>
>>
>> --
>> www.johntate.org
>>
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
Things are working fine from another one of my computers, it must be
something to do with the computer I'm using. Sorry about that
everyone.

On Tue, Oct 1, 2013 at 2:48 AM, John Tate <[hidden email]> wrote:

> Yeah I am using my lan not the wlan. I've not got to even seeing if
> the wlan even works yet, though it used to with that configuration.
> The worst thing is the hosts occasionally manage to work for a split
> second, and stop again. I'm certain there is nothing wrong with my ISP
> unless they have trouble with this particular setup. It worked for
> months with no problems, and then they started happening.
>
> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado <[hidden email]> wrote:
>> Im afraid I only read the last post of the email thread about
>> match/scrub/mtu. That is why I suggested the set option in my previous
>> email.
>>
>> The fact that your router can contact the destination hosts without issues
>> but not the internal hosts forces me to believe that there isnt, at least at
>> this stage a mtu related problem.
>>
>> I see that you serve your LAN over athn0. You can find out if there are
>> issues with your wireless setup by running ifconfig athn0 debug and watching
>> /var/log/messages. athn0 power savings fix was submitted almost a year ago
>> but how knows you could be the happy owner of a particular card that doesnt
>> work as expected.
>>
>> Have you tried running your lan from the ethernet card instead?
>>
>> -luis
>>
>>
>>
>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate <[hidden email]> wrote:
>>>
>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]>
>>> wrote:
>>> > set reassemble yes no-df
>>> >
>>> > I tried using match and scrub rules without luck, but the 'reassemble
>>> > yes
>>> > no-df' solved my problems with the GRE tunnels we use among networks.
>>> >
>>> > Just make sure you dont have set skip on pppoe0
>>> >
>>> > -luis
>>> Just trying this, something got through for a second but once again
>>> queries to google and other sites don't work. It is still unreliable.
>>> >
>>> >
>>> >
>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]> wrote:
>>> >>
>>> >> Well max-mss doesn't seem to help I can still only access gmail and
>>> >> not google.com.au. Also it has become suddenly selective after months
>>> >> with no problem so I wonder if this is the default these days. Still
>>> >> problems.
>>> >>
>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]>
>>> >> wrote:
>>> >> > On 2013-09-30 10:58, John Tate wrote:
>>> >> >>
>>> >> >> It would help if you told me how to do this...
>>> >> >>
>>> >> >> # ifconfig pppoe max-mms 1400
>>> >> >> ifconfig: max-mms: bad value
>>> >> >> # ifconfig pppoe0 max-mms 1440
>>> >> >> ifconfig: max-mms: bad value
>>> >> >>
>>> >> >
>>> >> > match on $ext scrub (max-mss 1400)
>>> >> >
>>> >> > in /etc/pf.conf
>>> >> >
>>> >> > Also, don't top post.
>>> >> >
>>> >> > --
>>> >> > James Shupe
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> www.johntate.org
>>> >>
>>> >
>>>
>>>
>>>
>>> --
>>> www.johntate.org
>>
>>
>
>
>
> --
> www.johntate.org



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
It worked for a while but since rebooting my router now none of my
computers work to access google.com, gmail.com works. Many other sites
are not working, it is very frustrating.

Clients on the wireless also don't work, it is the same problem. I can
ping all the sites I can't access the problem appears to be with HTTP.

Since starting the thread I have changed my pf.conf on advice of other
users to have these lines...
set reassemble yes no-df
match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)

Any more ideas?

On Tue, Oct 1, 2013 at 2:51 AM, John Tate <[hidden email]> wrote:

> Things are working fine from another one of my computers, it must be
> something to do with the computer I'm using. Sorry about that
> everyone.
>
> On Tue, Oct 1, 2013 at 2:48 AM, John Tate <[hidden email]> wrote:
>> Yeah I am using my lan not the wlan. I've not got to even seeing if
>> the wlan even works yet, though it used to with that configuration.
>> The worst thing is the hosts occasionally manage to work for a split
>> second, and stop again. I'm certain there is nothing wrong with my ISP
>> unless they have trouble with this particular setup. It worked for
>> months with no problems, and then they started happening.
>>
>> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado <[hidden email]> wrote:
>>> Im afraid I only read the last post of the email thread about
>>> match/scrub/mtu. That is why I suggested the set option in my previous
>>> email.
>>>
>>> The fact that your router can contact the destination hosts without issues
>>> but not the internal hosts forces me to believe that there isnt, at least at
>>> this stage a mtu related problem.
>>>
>>> I see that you serve your LAN over athn0. You can find out if there are
>>> issues with your wireless setup by running ifconfig athn0 debug and watching
>>> /var/log/messages. athn0 power savings fix was submitted almost a year ago
>>> but how knows you could be the happy owner of a particular card that doesnt
>>> work as expected.
>>>
>>> Have you tried running your lan from the ethernet card instead?
>>>
>>> -luis
>>>
>>>
>>>
>>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate <[hidden email]> wrote:
>>>>
>>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]>
>>>> wrote:
>>>> > set reassemble yes no-df
>>>> >
>>>> > I tried using match and scrub rules without luck, but the 'reassemble
>>>> > yes
>>>> > no-df' solved my problems with the GRE tunnels we use among networks.
>>>> >
>>>> > Just make sure you dont have set skip on pppoe0
>>>> >
>>>> > -luis
>>>> Just trying this, something got through for a second but once again
>>>> queries to google and other sites don't work. It is still unreliable.
>>>> >
>>>> >
>>>> >
>>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]> wrote:
>>>> >>
>>>> >> Well max-mss doesn't seem to help I can still only access gmail and
>>>> >> not google.com.au. Also it has become suddenly selective after months
>>>> >> with no problem so I wonder if this is the default these days. Still
>>>> >> problems.
>>>> >>
>>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]>
>>>> >> wrote:
>>>> >> > On 2013-09-30 10:58, John Tate wrote:
>>>> >> >>
>>>> >> >> It would help if you told me how to do this...
>>>> >> >>
>>>> >> >> # ifconfig pppoe max-mms 1400
>>>> >> >> ifconfig: max-mms: bad value
>>>> >> >> # ifconfig pppoe0 max-mms 1440
>>>> >> >> ifconfig: max-mms: bad value
>>>> >> >>
>>>> >> >
>>>> >> > match on $ext scrub (max-mss 1400)
>>>> >> >
>>>> >> > in /etc/pf.conf
>>>> >> >
>>>> >> > Also, don't top post.
>>>> >> >
>>>> >> > --
>>>> >> > James Shupe
>>>> >> >
>>>> >> >
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> www.johntate.org
>>>> >>
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> www.johntate.org
>>>
>>>
>>
>>
>>
>> --
>> www.johntate.org
>
>
>
> --
> www.johntate.org



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

Vijay Sankar
Quoting John Tate <[hidden email]>:

> It worked for a while but since rebooting my router now none of my
> computers work to access google.com, gmail.com works. Many other sites
> are not working, it is very frustrating.
>
> Clients on the wireless also don't work, it is the same problem. I can
> ping all the sites I can't access the problem appears to be with HTTP.
>
> Since starting the thread I have changed my pf.conf on advice of other
> users to have these lines...
> set reassemble yes no-df
> match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)
>
> Any more ideas?
>
> On Tue, Oct 1, 2013 at 2:51 AM, John Tate <[hidden email]> wrote:
>> Things are working fine from another one of my computers, it must be
>> something to do with the computer I'm using. Sorry about that
>> everyone.
>>
>> On Tue, Oct 1, 2013 at 2:48 AM, John Tate <[hidden email]> wrote:
>>> Yeah I am using my lan not the wlan. I've not got to even seeing if
>>> the wlan even works yet, though it used to with that configuration.
>>> The worst thing is the hosts occasionally manage to work for a split
>>> second, and stop again. I'm certain there is nothing wrong with my ISP
>>> unless they have trouble with this particular setup. It worked for
>>> months with no problems, and then they started happening.
>>>
>>> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado <[hidden email]> wrote:
>>>> Im afraid I only read the last post of the email thread about
>>>> match/scrub/mtu. That is why I suggested the set option in my previous
>>>> email.
>>>>
>>>> The fact that your router can contact the destination hosts without issues
>>>> but not the internal hosts forces me to believe that there isnt,  
>>>> at least at
>>>> this stage a mtu related problem.
>>>>
>>>> I see that you serve your LAN over athn0. You can find out if there are
>>>> issues with your wireless setup by running ifconfig athn0 debug  
>>>> and watching
>>>> /var/log/messages. athn0 power savings fix was submitted almost a year ago
>>>> but how knows you could be the happy owner of a particular card  
>>>> that doesnt
>>>> work as expected.
>>>>
>>>> Have you tried running your lan from the ethernet card instead?
>>>>
>>>> -luis
>>>>
>>>>
>>>>
>>>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate <[hidden email]> wrote:
>>>>>
>>>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]>
>>>>> wrote:
>>>>> > set reassemble yes no-df
>>>>> >
>>>>> > I tried using match and scrub rules without luck, but the 'reassemble
>>>>> > yes
>>>>> > no-df' solved my problems with the GRE tunnels we use among networks.
>>>>> >
>>>>> > Just make sure you dont have set skip on pppoe0
>>>>> >
>>>>> > -luis
>>>>> Just trying this, something got through for a second but once again
>>>>> queries to google and other sites don't work. It is still unreliable.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]> wrote:
>>>>> >>
>>>>> >> Well max-mss doesn't seem to help I can still only access gmail and
>>>>> >> not google.com.au. Also it has become suddenly selective after months
>>>>> >> with no problem so I wonder if this is the default these days. Still
>>>>> >> problems.
>>>>> >>
>>>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]>
>>>>> >> wrote:
>>>>> >> > On 2013-09-30 10:58, John Tate wrote:
>>>>> >> >>
>>>>> >> >> It would help if you told me how to do this...
>>>>> >> >>
>>>>> >> >> # ifconfig pppoe max-mms 1400
>>>>> >> >> ifconfig: max-mms: bad value
>>>>> >> >> # ifconfig pppoe0 max-mms 1440
>>>>> >> >> ifconfig: max-mms: bad value
>>>>> >> >>
>>>>> >> >
>>>>> >> > match on $ext scrub (max-mss 1400)
>>>>> >> >
>>>>> >> > in /etc/pf.conf
>>>>> >> >
>>>>> >> > Also, don't top post.
>>>>> >> >
>>>>> >> > --
>>>>> >> > James Shupe
>>>>> >> >
>>>>> >> >
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> www.johntate.org
>>>>> >>

Are you using dhcp on fxp0? I thought I noticed log entries where fxp0  
did not get the IP address it was requesting for.



Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
[hidden email]

---------------------------------------------
This message was sent using ForeTell-POST 4.9

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

James Shupe-4
In reply to this post by John Tate-8
> set reassemble yes no-df
> match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)

"match in on"? You need to match both directions.

Also, stop top posting.

--
James Shupe

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

Roberto E. Vargas Caballero
In reply to this post by John Tate-8
> Since starting the thread I have changed my pf.conf on advice of other
> users to have these lines...
> set reassemble yes no-df
> match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)
>
> Any more ideas?

I have a similar problem here, and I still doesn't found the solution,
but maybe your problem can be related to [1], in the section
"pf and window scaling)" (you can found some information about it
in [2]).

Good luck,

[1] http://fatsquirrel.org/veghead/wot/openbsd.php
[2] http://wheel.troxo.com/2008/06/05/tcp-window-scaling-conundrum
--
Roberto E. Vargas Caballero
----------------------------
[hidden email]
http://www.shike2.com

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
In reply to this post by John Tate-8
I've done this, now Google works, but Facebook is still not working
and probably some other sites.

On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado <[hidden email]> wrote:

> if you keep set reassemble yes no-df you can (must?) remove the match in on
> pppoe0 scrut (max-mss 1440 no-df reassemble tcp)
>
> -luis
>
>
>
> On Mon, Sep 30, 2013 at 11:30 AM, John Tate <[hidden email]> wrote:
>>
>> It worked for a while but since rebooting my router now none of my
>> computers work to access google.com, gmail.com works. Many other sites
>> are not working, it is very frustrating.
>>
>> Clients on the wireless also don't work, it is the same problem. I can
>> ping all the sites I can't access the problem appears to be with HTTP.
>>
>> Since starting the thread I have changed my pf.conf on advice of other
>> users to have these lines...
>> set reassemble yes no-df
>> match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)
>>
>> Any more ideas?
>>
>> On Tue, Oct 1, 2013 at 2:51 AM, John Tate <[hidden email]> wrote:
>> > Things are working fine from another one of my computers, it must be
>> > something to do with the computer I'm using. Sorry about that
>> > everyone.
>> >
>> > On Tue, Oct 1, 2013 at 2:48 AM, John Tate <[hidden email]> wrote:
>> >> Yeah I am using my lan not the wlan. I've not got to even seeing if
>> >> the wlan even works yet, though it used to with that configuration.
>> >> The worst thing is the hosts occasionally manage to work for a split
>> >> second, and stop again. I'm certain there is nothing wrong with my ISP
>> >> unless they have trouble with this particular setup. It worked for
>> >> months with no problems, and then they started happening.
>> >>
>> >> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado <[hidden email]>
>> >> wrote:
>> >>> Im afraid I only read the last post of the email thread about
>> >>> match/scrub/mtu. That is why I suggested the set option in my previous
>> >>> email.
>> >>>
>> >>> The fact that your router can contact the destination hosts without
>> >>> issues
>> >>> but not the internal hosts forces me to believe that there isnt, at
>> >>> least at
>> >>> this stage a mtu related problem.
>> >>>
>> >>> I see that you serve your LAN over athn0. You can find out if there
>> >>> are
>> >>> issues with your wireless setup by running ifconfig athn0 debug and
>> >>> watching
>> >>> /var/log/messages. athn0 power savings fix was submitted almost a year
>> >>> ago
>> >>> but how knows you could be the happy owner of a particular card that
>> >>> doesnt
>> >>> work as expected.
>> >>>
>> >>> Have you tried running your lan from the ethernet card instead?
>> >>>
>> >>> -luis
>> >>>
>> >>>
>> >>>
>> >>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate <[hidden email]> wrote:
>> >>>>
>> >>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]>
>> >>>> wrote:
>> >>>> > set reassemble yes no-df
>> >>>> >
>> >>>> > I tried using match and scrub rules without luck, but the
>> >>>> > 'reassemble
>> >>>> > yes
>> >>>> > no-df' solved my problems with the GRE tunnels we use among
>> >>>> > networks.
>> >>>> >
>> >>>> > Just make sure you dont have set skip on pppoe0
>> >>>> >
>> >>>> > -luis
>> >>>> Just trying this, something got through for a second but once again
>> >>>> queries to google and other sites don't work. It is still unreliable.
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]>
>> >>>> > wrote:
>> >>>> >>
>> >>>> >> Well max-mss doesn't seem to help I can still only access gmail
>> >>>> >> and
>> >>>> >> not google.com.au. Also it has become suddenly selective after
>> >>>> >> months
>> >>>> >> with no problem so I wonder if this is the default these days.
>> >>>> >> Still
>> >>>> >> problems.
>> >>>> >>
>> >>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]>
>> >>>> >> wrote:
>> >>>> >> > On 2013-09-30 10:58, John Tate wrote:
>> >>>> >> >>
>> >>>> >> >> It would help if you told me how to do this...
>> >>>> >> >>
>> >>>> >> >> # ifconfig pppoe max-mms 1400
>> >>>> >> >> ifconfig: max-mms: bad value
>> >>>> >> >> # ifconfig pppoe0 max-mms 1440
>> >>>> >> >> ifconfig: max-mms: bad value
>> >>>> >> >>
>> >>>> >> >
>> >>>> >> > match on $ext scrub (max-mss 1400)
>> >>>> >> >
>> >>>> >> > in /etc/pf.conf
>> >>>> >> >
>> >>>> >> > Also, don't top post.
>> >>>> >> >
>> >>>> >> > --
>> >>>> >> > James Shupe
>> >>>> >> >
>> >>>> >> >
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >> --
>> >>>> >> www.johntate.org
>> >>>> >>
>> >>>> >
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> www.johntate.org
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> www.johntate.org
>> >
>> >
>> >
>> > --
>> > www.johntate.org
>>
>>
>>
>> --
>> www.johntate.org
>>
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
Looks like I just had to remove the match line and just use "set
reassemble yes no-df" and restart my interfaces on clients. Everything
appears to work now.

Still amazes me this wasn't a problem for months.

On Tue, Oct 1, 2013 at 4:34 AM, John Tate <[hidden email]> wrote:

> I've done this, now Google works, but Facebook is still not working
> and probably some other sites.
>
> On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado <[hidden email]> wrote:
>> if you keep set reassemble yes no-df you can (must?) remove the match in on
>> pppoe0 scrut (max-mss 1440 no-df reassemble tcp)
>>
>> -luis
>>
>>
>>
>> On Mon, Sep 30, 2013 at 11:30 AM, John Tate <[hidden email]> wrote:
>>>
>>> It worked for a while but since rebooting my router now none of my
>>> computers work to access google.com, gmail.com works. Many other sites
>>> are not working, it is very frustrating.
>>>
>>> Clients on the wireless also don't work, it is the same problem. I can
>>> ping all the sites I can't access the problem appears to be with HTTP.
>>>
>>> Since starting the thread I have changed my pf.conf on advice of other
>>> users to have these lines...
>>> set reassemble yes no-df
>>> match in  on pppoe0 scrub (max-mss 1440 no-df reassemble tcp)
>>>
>>> Any more ideas?
>>>
>>> On Tue, Oct 1, 2013 at 2:51 AM, John Tate <[hidden email]> wrote:
>>> > Things are working fine from another one of my computers, it must be
>>> > something to do with the computer I'm using. Sorry about that
>>> > everyone.
>>> >
>>> > On Tue, Oct 1, 2013 at 2:48 AM, John Tate <[hidden email]> wrote:
>>> >> Yeah I am using my lan not the wlan. I've not got to even seeing if
>>> >> the wlan even works yet, though it used to with that configuration.
>>> >> The worst thing is the hosts occasionally manage to work for a split
>>> >> second, and stop again. I'm certain there is nothing wrong with my ISP
>>> >> unless they have trouble with this particular setup. It worked for
>>> >> months with no problems, and then they started happening.
>>> >>
>>> >> On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado <[hidden email]>
>>> >> wrote:
>>> >>> Im afraid I only read the last post of the email thread about
>>> >>> match/scrub/mtu. That is why I suggested the set option in my previous
>>> >>> email.
>>> >>>
>>> >>> The fact that your router can contact the destination hosts without
>>> >>> issues
>>> >>> but not the internal hosts forces me to believe that there isnt, at
>>> >>> least at
>>> >>> this stage a mtu related problem.
>>> >>>
>>> >>> I see that you serve your LAN over athn0. You can find out if there
>>> >>> are
>>> >>> issues with your wireless setup by running ifconfig athn0 debug and
>>> >>> watching
>>> >>> /var/log/messages. athn0 power savings fix was submitted almost a year
>>> >>> ago
>>> >>> but how knows you could be the happy owner of a particular card that
>>> >>> doesnt
>>> >>> work as expected.
>>> >>>
>>> >>> Have you tried running your lan from the ethernet card instead?
>>> >>>
>>> >>> -luis
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Mon, Sep 30, 2013 at 10:32 AM, John Tate <[hidden email]> wrote:
>>> >>>>
>>> >>>> On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado <[hidden email]>
>>> >>>> wrote:
>>> >>>> > set reassemble yes no-df
>>> >>>> >
>>> >>>> > I tried using match and scrub rules without luck, but the
>>> >>>> > 'reassemble
>>> >>>> > yes
>>> >>>> > no-df' solved my problems with the GRE tunnels we use among
>>> >>>> > networks.
>>> >>>> >
>>> >>>> > Just make sure you dont have set skip on pppoe0
>>> >>>> >
>>> >>>> > -luis
>>> >>>> Just trying this, something got through for a second but once again
>>> >>>> queries to google and other sites don't work. It is still unreliable.
>>> >>>> >
>>> >>>> >
>>> >>>> >
>>> >>>> > On Mon, Sep 30, 2013 at 10:26 AM, John Tate <[hidden email]>
>>> >>>> > wrote:
>>> >>>> >>
>>> >>>> >> Well max-mss doesn't seem to help I can still only access gmail
>>> >>>> >> and
>>> >>>> >> not google.com.au. Also it has become suddenly selective after
>>> >>>> >> months
>>> >>>> >> with no problem so I wonder if this is the default these days.
>>> >>>> >> Still
>>> >>>> >> problems.
>>> >>>> >>
>>> >>>> >> On Tue, Oct 1, 2013 at 2:02 AM, James Shupe <[hidden email]>
>>> >>>> >> wrote:
>>> >>>> >> > On 2013-09-30 10:58, John Tate wrote:
>>> >>>> >> >>
>>> >>>> >> >> It would help if you told me how to do this...
>>> >>>> >> >>
>>> >>>> >> >> # ifconfig pppoe max-mms 1400
>>> >>>> >> >> ifconfig: max-mms: bad value
>>> >>>> >> >> # ifconfig pppoe0 max-mms 1440
>>> >>>> >> >> ifconfig: max-mms: bad value
>>> >>>> >> >>
>>> >>>> >> >
>>> >>>> >> > match on $ext scrub (max-mss 1400)
>>> >>>> >> >
>>> >>>> >> > in /etc/pf.conf
>>> >>>> >> >
>>> >>>> >> > Also, don't top post.
>>> >>>> >> >
>>> >>>> >> > --
>>> >>>> >> > James Shupe
>>> >>>> >> >
>>> >>>> >> >
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> >> --
>>> >>>> >> www.johntate.org
>>> >>>> >>
>>> >>>> >
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> www.johntate.org
>>> >>>
>>> >>>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> www.johntate.org
>>> >
>>> >
>>> >
>>> > --
>>> > www.johntate.org
>>>
>>>
>>>
>>> --
>>> www.johntate.org
>>>
>>
>
>
>
> --
> www.johntate.org



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

John Tate-8
Alright at the moment things are mostly working but I've found I can't
access Google Plus and Facebook never finishes loading, though at
least now it loads a bit. Connections like ssh generally seem to be
staying open. Is there something unusual about Facebook that anyone
knows about?


--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD not forwarding to specific sites

James Shupe-4
Try just "match on pppoe0 scrub (max-mss 1400 no-df)" and remove the
reassemble line.


--
James Shupe

12