Re: Sometime NAT, sometimes NOT?
Brian, Despite the fact that I get tons of State Failures I see this strange message : Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535) failed Can this be the cause of my errors? Andy. -Oorspronkelijk bericht- Van: Brian A. Seklecki [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 12 juni 2007 22:03 Aan: Geraerts Andy CC: misc@openbsd.org Onderwerp: RE: Sometime NAT, sometimes NOT? pfctl -x loud tail -f /var/log/messages ~BAS On Mon, 11 Jun 2007, Geraerts Andy wrote: We have an OpenBSD firewall running for a while now. Since a few days we encounter some sort of selective natting. I try to ping a host, I get reply, and 2 minutes later I try to ping the same host and I dont get replies. So despite the state being created in both instances, you see a packet egress your external interface with the source address of the internal host instead of the external interface of the NAT box? We indeed see the state being created. The packet egresses on the external interface without NAT. So the ip packet contains the source ip address of my laptop and therefor further on the path gets blocked because it isn't natted. A few seconds/minutes later I try again and everything works again. Is there a way to see why it isn't doing the NAT? (There are around 80 interfaces (vlan + carp) on the box.) Regards, Andy. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007 21:42 __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at : [EMAIL PROTECTED] or call +32-(0)11-240234. This footnote also confirms that this email message has been swept by Sophos for the presence of computer viruses. __
Re: Sometime NAT, sometimes NOT?
Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535) failed this almost sounds like you have something else which grabs these ports. do you, intentionally? Well I can't find anything that could block it. There is no ftp daemon or ftp proxy or whatever running on the box. What does the pf do when it tries to allocate a nat port and doesn't succeed, doesn't it do the nat at all or does it try again? It could explain the behavior that we see that sometimes packets aren't natted as they should be. So then can I enlarge the range? Thanks, Andy. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007 21:42 __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at : [EMAIL PROTECTED] or call +32-(0)11-240234. This footnote also confirms that this email message has been swept by Sophos for the presence of computer viruses. __
Re: Sometime NAT, sometimes NOT?
Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535) failed Can this be the cause of my errors? Yes, you have run out of available ports to NAT from. The straightforward answer is to NAT from a larger pool of addresses i.e. nat ... - { 1.1.1.1, 2.2.2.2, 3.3.3.0/24} The 50001:65535 range is set in /usr/src/sbin/pfctl/pfctl_parser.c (PF_NAT_PROXY_PORT_LOW and ..._HIGH) which might give some opportunity to shoot yourself in the foot (especially if you don't bother to make related changes to sysctl net.inet.ip.port* to keep some hiports free for connections from the box itself). If I look at the state table, I see : State Table Total Rate current entries 3744 searches 2144319853 2594.8/s inserts 66107028.0/s removals 66069588.0/s Can I have more NAT port consumption than states? Is there a way to see wich nat consumes the most ports so I can add ip aliases to this specific nat? Thanks, Andy. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007 21:42 __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at : [EMAIL PROTECTED] or call +32-(0)11-240234. This footnote also confirms that this email message has been swept by Sophos for the presence of computer viruses. __
Re: Sometime NAT, sometimes NOT?
We have an OpenBSD firewall running for a while now. Since a few days we encounter some sort of selective natting. I try to ping a host, I get reply, and 2 minutes later I try to ping the same host and I dont get replies. So despite the state being created in both instances, you see a packet egress your external interface with the source address of the internal host instead of the external interface of the NAT box? We indeed see the state being created. The packet egresses on the external interface without NAT. So the ip packet contains the source ip address of my laptop and therefor further on the path gets blocked because it isn't natted. A few seconds/minutes later I try again and everything works again. Is there a way to see why it isn't doing the NAT? (There are around 80 interfaces (vlan + carp) on the box.) Regards, Andy. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.13/843 - Release Date: 10/06/2007 13:39 __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at : [EMAIL PROTECTED] or call +32-(0)11-240234. This footnote also confirms that this email message has been swept by Sophos for the presence of computer viruses. __
Sometime NAT, sometimes NOT?
We have an OpenBSD firewall running for a while now. Since a few days we encounter some sort of selective natting. I try to ping a host, I get reply, and 2 minutes later I try to ping the same host and I dont get replies. Running tcpdump learned us that the packet isnt always being natted. This can also be seen in the output of following commands : ping 172.29.28.20 Pinging 172.29.28.20 with 32 bytes of data: Request timed out. On the openbsd I see no natting : [EMAIL PROTECTED]:~ pfctl -vvss | grep -A3 172.29.28.20 | more self icmp 172.31.255.24:768 - 172.29.28.20:768 0:0 age 00:00:19, expires in 00:00:07, 4:0 pkts, 240:0 bytes, rule 208 id: 46632391003339fb creatorid: 6e3eb503 A few minutes later : ping 172.29.28.20 Pinging 172.29.28.20 with 32 bytes of data: Reply from 172.29.28.20: bytes=32 time=2ms TTL=62 [EMAIL PROTECTED]:~ pfctl -vvss | grep -A3 172.29.28.20 | more self icmp 172.31.255.24:768 - 10.9.0.10:768 - 172.29.28.20:768 0:0 age 00:00:03, expires in 00:00:10, 4:4 pkts, 240:240 bytes, rule 208 id: 4663239100333d60 creatorid: 6e3eb503 Now the openbsd does the correct nat!? The machine has been running for 2 years and after a power failure we see this problem. pfctl -si Status: Enabled for 4 days 15:46:59 Debug: Misc Hostid: 0x6e3eb503 Interface Stats for em1 IPv4 IPv6 Bytes In 00 Bytes Out 0 352 Packets In Passed 00 Blocked 00 Packets Out Passed 02 Blocked 03 State Table Total Rate current entries 3599 searches 951532091 2364.5/s inserts 33601058.3/s removals 33565068.3/s Counters bad-offset 00.0/s fragment 780.0/s short 00.0/s normalize 330.0/s memory 00.0/s bad-timestamp 00.0/s congestion 804430.2/s ip-option 460.0/s proto-cksum00.0/s state-mismatch 247910.1/s state-insert 2310.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s Is this a known bug in 3.7? Since its a company firewall it isnt easy to do an upgrade ofcourse :-) Thanks, Andy Geraerts No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.472 / Virus Database: 269.8.11/838 - Release Date: 7/06/2007 14:21 __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at : [EMAIL PROTECTED] or call +32-(0)11-240234. This footnote also confirms that this email message has been swept by Sophos for the presence of computer viruses. __