Snapshot and network connections trouble

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Snapshot and network connections trouble

Björn Ketelaars
Last week (January 24, 2006) I updated our gateway to snapshot (i386).
Everything seems to work fine except that users are complaining about
internet-connections being dropped. The main complaint is that it is
possible to use the internet but it is not possible to transfer files. I
checked this complaint, and indeed there are some problems best
described as connections being closed to fast.
As a test I reverted to a backup (Snapshot December 29, 2005) which
solved the dropping of connections.

Is there anyone who recognizes this problem and maybe has a solution?

Im using a three legged setup; two Intel NICs (fxp0 and fxp1) and one
Prism 2.5 (wi0). I included a copy of pf.conf and the output of dmesg.


# macros
wan_if = "fxp0"
lan_if = "fxp1"
wir_if = "wi0"

wan_lan_tcp = "{ssh, smtp, http, https}"
wan_lan_udp = "{isakmp, ipsec-nat-t}"
wan_lan_icmp = "{echoreq}"
wir_lan_tcp = "{ssh}"
wir_lan_udp = "{domain, isakmp, ipsec-nat-t}"

table <rfc1918> const {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8}

# options
set block-policy return
set loginterface $wan_if

# scrub incoming packets
scrub on $wan_if reassemble tcp no-df random-id

# nat/rdr
nat on $wan_if from $lan_if:network to any -> ($wan_if)
nat on $wan_if from $wir_if:network to any -> ($wan_if)
rdr on $wan_if proto tcp from !10.0.0.100 to ($wan_if) port 5000 ->
10.0.0.100
rdr on $wan_if proto udp from !10.0.0.100 to ($wan_if) port 5000 ->
10.0.0.100

# setup a default block policy
block log (all)

# loopback interface (lo0)
set skip on lo0

# encryption interface (enc0)
set skip on enc0

# external interface ($wan_if)
pass in on $wan_if inet proto tcp from !<rfc1918> to ($wan_if) port
$wan_lan_tcp flags S/SA keep state
pass in on $wan_if inet proto udp from !<rfc1918> to ($wan_if) port
$wan_lan_udp keep state
pass in on $wan_if inet proto esp from !<rfc1918> to ($wan_if) keep state
pass in on $wan_if inet proto icmp from !<rfc1918> to ($wan_if)
icmp-type $wan_lan_icmp keep state
pass in on $wan_if inet proto tcp from !<rfc1918> to 10.0.0.100 port
5000 flags S/SA synproxy state
pass in on $wan_if inet proto udp from !<rfc1918> to 10.0.0.100 port
5000 keep state
pass out on $wan_if proto tcp from any to !<rfc1918> modulate state
flags S/SA
pass out on $wan_if proto udp from any to !<rfc1918> keep state
pass out on $wan_if proto icmp from any to !<rfc1918> keep state

# internal interface ($lan_if)
pass in on $lan_if from $lan_if:network to any keep state
pass out on $lan_if from any to $lan_if:network keep state

# wireless interface ($wir_if)
pass in on $wir_if proto tcp from $wir_if:network to $wir_if port
$wir_lan_tcp keep state
pass in on $wir_if proto udp from $wir_if:network to $wir_if port
$wir_lan_udp keep state
pass in on $wir_if proto esp from $wir_if:network to $wir_if keep state
pass out on $wir_if from any to $wir_if:network keep state


OpenBSD 3.9-beta (GENERIC) #593: Tue Jan 24 02:00:54 MST 2006
     [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 398 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 268017664 (261736K)
avail mem = 237572096 (232004K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(e4) BIOS, date 06/30/98, BIOS32 rev. 0 @ 0xec700
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7440/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA"
rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x800 0xe0000/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 10 function 0 "Intel 8255x" rev 0x05, i82558: irq 11,
address 00:50:8b:70:84:c0
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
fxp1 at pci0 dev 13 function 0 "Intel 8255x" rev 0x05, i82558: irq 11,
address 00:08:c7:5a:38:e9
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 0
wi0 at pci0 dev 14 function 0 "Intersil PRISM2.5" rev 0x01: irq 11
wi0: PRISM2.5 ISL3874A(Mini-PCI) (0x8013), Firmware 1.0.7 (primary),
1.3.6 (station), address 00:09:5b:69:98:4c
pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <Maxtor 52049H3>
wd0: 16-sector PIO, LBA, 19541MB, 40021632 sectors
wd1 at pciide0 channel 0 drive 1: <Maxtor 6Y080L0>
wd1: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
admtemp0 at iic0 addr 0x4c: adm1032
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc_cmd: send error
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
kbc: aux echo error 1
kbc: cmd word write error
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
biomask fffd netmask fffd ttymask ffff
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
syncing disks... done
rebooting...

Reply | Threaded
Open this post in threaded view
|

Re: Snapshot and network connections trouble

Moritz Grimm
Bjvrn Ketelaars wrote:

> Last week (January 24, 2006) I updated our gateway to snapshot (i386).
> Everything seems to work fine except that users are complaining about
> internet-connections being dropped. The main complaint is that it is
> possible to use the internet but it is not possible to transfer files. I
> checked this complaint, and indeed there are some problems best
> described as connections being closed to fast.
> As a test I reverted to a backup (Snapshot December 29, 2005) which
> solved the dropping of connections.
>
> Is there anyone who recognizes this problem and maybe has a solution?
[...]
> pass in on $wan_if inet proto tcp from !<rfc1918> to 10.0.0.100 port
> 5000 flags S/SA synproxy state
> pass in on $wan_if inet proto udp from !<rfc1918> to 10.0.0.100 port
> 5000 keep state
> pass out on $wan_if proto tcp from any to !<rfc1918> modulate state
> flags S/SA
[...]

It looks like this could be related to modulate/synproxy state being
currently broken:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=113844738811816&w=2

It would be interesting to know if the patch helps, I suppose?


Moritz

Reply | Threaded
Open this post in threaded view
|

Re: Snapshot and network connections trouble

Björn Ketelaars
Moritz Grimm wrote:

> Bjvrn Ketelaars wrote:
>> Last week (January 24, 2006) I updated our gateway to snapshot (i386).
>> Everything seems to work fine except that users are complaining about
>> internet-connections being dropped. The main complaint is that it is
>> possible to use the internet but it is not possible to transfer files.
>> I checked this complaint, and indeed there are some problems best
>> described as connections being closed to fast.
>> As a test I reverted to a backup (Snapshot December 29, 2005) which
>> solved the dropping of connections.
>>
>> Is there anyone who recognizes this problem and maybe has a solution?
> [...]
>> pass in on $wan_if inet proto tcp from !<rfc1918> to 10.0.0.100 port
>> 5000 flags S/SA synproxy state
>> pass in on $wan_if inet proto udp from !<rfc1918> to 10.0.0.100 port
>> 5000 keep state
>> pass out on $wan_if proto tcp from any to !<rfc1918> modulate state
>> flags S/SA
> [...]
>
> It looks like this could be related to modulate/synproxy state being
> currently broken:
> http://marc.theaimsgroup.com/?l=openbsd-pf&m=113844738811816&w=2
>
> It would be interesting to know if the patch helps, I suppose?
>
>
> Moritz
>

Applied the path, compiled and tested the new kernel. Everything works
fine now!

Thanks