Hi all,
I am testing my new OpenBSD router in a simple NAT configuration but I
am getting some strange results. The client machine is a Windows XP
laptop and the behaviour is that only a handful of websites render
(google, for example), 99% that i've tried do not. FTP appears to be
working fine. It doesn't appear to be a local client configuration
issue as when I point to an alternate NAT gateway, there are no
problems.
Here is my configuration :-
-bash-3.2# ifconfig -A (stripped slightly)
pppoe1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
dev: fxp2 state: session
sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:00:53
sppp: phase network authproto chap authname "xxxxx"
groups: pppoe egress
inet6 fe80::204:23ff:fecb:1cde%pppoe1 -> prefixlen 64 scopeid 0x9
inet 90.155.88.39 --> 81.187.81.72 netmask 0xffffffff
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:02:b3:13:fc:0d
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::202:b3ff:fe13:fc0d%fxp2 prefixlen 64 scopeid 0x5
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:23:cb:1c:de
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::204:23ff:fecb:1cde%em0 prefixlen 64 scopeid 0x1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:23:cb:1c:de
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::204:23ff:fecb:1c7d%em1 prefixlen 64 scopeid 0x2
trunk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:23:cb:1c:de
trunk: trunkproto loadbalance
trunkport em1 active
trunkport em0 master,active
groups: trunk
media: Ethernet autoselect
status: active
inet6 fe80::204:23ff:fecb:1cde%trunk0 prefixlen 64 scopeid 0xb
vlan1020: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:04:23:cb:1c:de
vlan: 1020 priority: 0 parent interface: trunk0
groups: vlan
inet6 fe80::204:23ff:fecb:1cde%vlan1020 prefixlen 64 scopeid 0xe
inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
-bash-3.2# route show -inet (stripped)
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default careless.aaisp.net UGS 1 8539 - pppoe1
0.0.0.1 default UH 0 0 - pppoe0
careless.aaisp.net 90.155.88.39 UH 1 2 - pppoe1
(pppoe0 is not currently in-use)
-bash-3.2# cat /etc/pf.conf
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on pppoe1 from vlan1020:network to any -> (pppoe1)
rdr pass on vlan1020 proto tcp from any to any port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
Scenario:-
- Windows client sitting on a 802.1q tagged network.
- Vlan ID is 1020 and is set to be the default vlan on the switch port
its attached to.
- Default gw on client is 192.168.10.1
- trunk0 on firewall is configured as a trunk on the switch (em0/em1),
albeit not 802.3ad (not sure on standard)
- Client can ping any host on the internet
- Client appears to be able to connect to any internet host on port
80, and a 'GET /' works (albeit often to a http 1.1 error as you'd
expect)
- Only a couple of the website i've tried actually render in a
browser, google does for example.
- I can grab small text files (<1KB) from a site, but larger ones
don't work. Looks like size is relevant.
- Connection works fine from the firewall itself, can grab anything
from anywhere with no issue (does this rule out MTU issues on the WAN
link?)
I don't have any tcpdump or debug data handy where I am at the moment,
but can obtain some later today upon request.
Any thoughts on how I can debug this? Any more info I can provide to help?
Thanks in advance!
