Dear readers,
I am setting up a network according to external specification and using
openbsd
(it s up to date 5.7, 5.8 is coming), question is after the explanation of
the setup.
Two routers are connected together through others routers.
They are gateway of the local network user, and on each side there is
another router,
on the same lan, those routers provide interconnection.
Client ---- router1 bsd(gw) router2 bsd(gw) ----- Server
\_ opaque router----------------opaque router_/
This is ugly and i change the sysctl to not send icmp redirect warning,
which i would called your network spec is ugly icmp warning.
I came accross a new behavior to me, when connecting a TCP from Client to
Server;
i have a sackOK , if i 'pass on interface ... flags any', i can
communicate, for a minute
between client and server.
When i send icmp , with ping from client to server or from router1 to
Server
<only the first> probe go through (if i do ping -c1 -w2 and wait a second
before each everything is OK)
It looks like this,
$ ping -c1 -w2 -I 10.54.213.241 10.19.71.21
PING 10.19.71.21 (10.19.71.21): 56 data bytes
64 bytes from 10.19.71.21: icmp_seq=0 ttl=61 time=1.070 ms
--- 10.19.71.21 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.070/1.070/1.070/0.000 ms
$ ping -c3 -w2 -I 10.54.213.241 10.19.71.21
PING 10.19.71.21 (10.19.71.21): 56 data bytes
64 bytes from 10.19.71.21: icmp_seq=0 ttl=61 time=1.129 ms
--- 10.19.71.21 ping statistics ---
3 packets transmitted, 1 packets received, 66.7% packet loss
round-trip min/avg/max/std-dev = 1.129/1.129/1.129/0.000 ms
Only two block rules :
$ sudo pfctl -s rules | grep block
block drop in log quick from urpf-failed to any label "uRPF"
block drop log all
Only strange configuration is the physical interface is in a bridge and the
IP on a vether
interface inside the bridge.
There is a set skip in the physical interface, and
- pass on vether from (vether:network) to (vether:network)
- pass in on vether from (vether:network) to server:network
- pass out on vether from server:network to (vether:network)
So data goes
client->interface->bridge->(vether?)->bridge->interface->network.
*My problem*: pflog0 is empty, but pfctl -d fix the problem
(any input welcome)
( I will now test a workaround involving GRE to suppress the redirect
warning ,
instead of just silencing them )
Thank you if you made it that far in the mail !
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
