Hi Mike. Mike wrote: > Yes, I know that Windows uses ICMP for traceroute (I use both the > Windows tracert command line utility and the SamSpade GUI utility).
Cool. > However, I have found that troubleshooting is always easier if one can > eliminate Windows from the mix, that's why I reproduced the problem on > the FreeBSD box (and also an OpenBSD notebook, but I didn't show those > logs. Couldn't agree more. > Traceroutes were working here previously. I rewrote the rules > surrounding NAT when the new pf.conf syntax appeared, that's when I > started noticing the traceroute issues. What OS are we talking about now? uname -rsv OpenBSD 4.8 GENERIC#136 Not to throw curve balls but I had exactly the same problem as you initially during 4.7 then at some point it came good (so the opposite to your situation). I did change my pf on the odd occasion and thought little of it. This is a carbon copy of my 4.7 pf and it still works. So yes, that ruleset allowed trace during 4.7 and now during 4.8 ... >From a Windows host: C:\Documents and Settings\Administrator>tracert on.net Tracing route to on.net [150.101.140.197] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.1.250 2 38 ms 39 ms 39 ms lns21.adl2.internode.on.net [203.16.215.199] 3 44 ms 43 ms 77 ms 150.101.134.14 4 38 ms 39 ms 38 ms techgw.adl.internode.on.net [150.101.1.84] 5 47 ms 36 ms 37 ms pubweb.internode.on.net [150.101.140.197] >From an OpenBSD host: traceroute -P ICMP on.net 1 192.168.2.250 (192.168.2.250) 0.425 ms 0.290 ms 0.217 ms 2 lns21.adl2.internode.on.net (203.16.215.199) 36.698 ms 37.122 ms 34.950 ms 3 150.101.134.14 (150.101.134.14) 50.339 ms 45.852 ms 45.197 ms 4 techgw.adl.internode.on.net (150.101.1.84) 41.494 ms 39.724 ms 39.560 ms 5 pubweb.internode.on.net (150.101.140.197) 45.711 ms 44.618 ms 42.521 ms Mike wrote: > When I use that ruleset (changing nothing except the interface names), > traceroute using ICMP still does not work from the clients. Ouch. I've simplified it to this: # packet filtering block all # pppoe0:network pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) # vr1:network pass in on vr1 inet from vr1:network to any # vr2:network pass in on vr2 inet from vr2:network to any It all still works. From a Windows host and OpenBSD host. To re-iterate: uname -rsv OpenBSD 4.8 GENERIC#136 That's the router and the client. Not to be captain obvious but Windows (older versions) have a packet filter, of course now it's kernel mode all the way with Windows Firewall and obviously FreeBSD has something - pf is default now right? I know you said you could ping and trace from your router to your hosts but ... I'm probably the noob here but is that worth looking at? FYI, I obviously use pppoe, it's pppoe(4). I haven't made any manual adjustments to MTU or MSS or any other acronyms I don't know the full import of. Everything (everything) networking or otherwise is pretty much default. Best wishes.
