Hello Ian,
I just need some clarification on how gw1, gw2 are wired up and
connected to internet. Just let me know if diagram below is right.
.--->-- rpki.ripe.net ---->--------.
| |
| |
| |
A echo request: V echo reply:
| 172.16.0.92 -> 193.0.6.138 | 193.0.6.138 -> 172.16.0.91
| |
| | vlan313
,------+-------. ,------+-------.
| gw2 | | gw1 |
| | vlan209 | |
| +-------------------+ |
| | | |
`--------------' `--------------'
I wonder if diagram above matches your topology.
</snip>
> > I'm not sure how much busy gw1 is, but it might make some sense to
> > repeat the test with 'pfctl -x debug', this will make pf(4) more
> > talkative we might be lucky to get some hits to see what goes wrong.
>
>
> It spews a *lot*, but if I grep for that RIPE IP, I get:
>
> root@the-gw1:~# cat /var/log/messages|grep 193.0.6.138
> Apr 30 21:30:53 gw1 /bsd: pf: key search, in on vlan313: ICMP wire: (0)
> 193.0.6.138:8 172.16.0.91:3235
the first state search above is for inbound ICMP packet.
> Apr 30 21:30:53 gw1 /bsd: pf: key search, out on vlan209: ICMP wire: (0)
> 172.16.0.91:3235 193.0.6.138:8
the second state search above is for outbound ICMP packet. The addresses
are just swapped. pf does that just internally to deal with 'packet
direction (inbound vs. outbound and request vs. reply). It's implementation
detail which just looks confusing.
It looks like we deal with kind of asymmetry in your network path (requests take
different route than replies). I wonder if relaxing your pass rule for icmp
would help here. If I remember correct your icmp rule at gw1 reads as follows:
pass quick proto { icmp, icmp6 }
I would try to make state check less paranoid at gw1:
pass quick proto { icmp, icmp6 } keep state (sloppy)
hope it helps
regards
sashan
