Re: OpenBSD not forwarding to specific sites
* John Tate j...@johntate.org [2013-09-30 20:34]: but Facebook is still not working that's a feature. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: OpenBSD not forwarding to specific sites
On Mon, Sep 30, 2013 at 11:18:55PM +1000, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. I really need to find out what is causing these issues with my Internet it is something bizarre. My server I've literally only changed the following files... /etc/hostname.fxp0 /etc/hostname.athn0 /etc/hostname.pppoe0 /etc/hostname.xl0 /var/named/etc/named.conf /etc/rndc.conf /etc/resolv.conf /etc/pf.conf /etc/dhcpd.conf Is IP forwarding (net.inet.ip.forwarding=1) on? It's in sysctl.conf (not in that list) and it's off by default. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: OpenBSD not forwarding to specific sites
Quoting John Tate j...@johntate.org:
I am having trouble with IP forwarding to specific sites on a very
typical configuration. The router itself can access these sites but
clients can not. I have looked in obvious places on the clients, but I
cannot find a cause. I reinstalled OpenBSD on the router after getting
SSL errors where SSL servers could not be reached from clients, and I
bought a cheap Netgear router to use which works fine ruling out that
my ISP is causing problems.
I really need to find out what is causing these issues with my
Internet it is something bizarre. My server I've literally only
changed the following files...
/etc/hostname.fxp0
/etc/hostname.athn0
/etc/hostname.pppoe0
/etc/hostname.xl0
/var/named/etc/named.conf
/etc/rndc.conf
/etc/resolv.conf
/etc/pf.conf
/etc/dhcpd.conf
These are all pretty straight forward so I don't understand what the
problem is. The existing SSL problem just came out of nowhere with no
changes.
# cat /etc/hostname.athn0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroAP chan 11 \
wpa wpakey FallInLove2013 wpaprotos wpa2
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev xl0 authproto pap \
authname 'x...@eftel.net.au' authkey '' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
# cat /etc/hostname.xl0
up
# cat /var/named/etc/named.conf
// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
localnets;
::1;
};
options {
version ; // remove this to allow version queries
listen-on{ 192.168.0.1; 192.168.1.1; 127.0.0.1; };
listen-on-v6 { any; };
forwarders { 8.8.8.8; 8.8.4.4; };
empty-zones-enable yes;
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
#zone . {
# type hint;
# file db.cache;
#};
zone localhost {
type master;
file standard/localhost;
allow-transfer { localhost; };
};
zone 127.in-addr.arpa {
type master;
file standard/loopback;
allow-transfer { localhost; };
};
zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
{
type master;
file standard/loopback6.arpa;
allow-transfer { localhost; };
};
#zone kab.loc {
# type master;
# file master/kab.loc;
#};
#zone 0.168.192.in-addr.arpa {
# type master;
# file master/db.0.168.192;
#};
#zone 1.168.192.in-addr-arpa {
# type master;
# file master/db.1.168.192;
#};
// Master zones
//
//zone myzone.net {
// type master;
// file master/myzone.net;
//};
// Slave zones
//
//zone otherzone.net {
// type slave;
// file slave/otherzone.net;
// masters { 192.0.2.1; [...;] };
//};
key rndc-key {
algorithm hmac-md5;
secret XXX;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
# cat /etc/pf.conf
#Firewall ruleset for KintaroABODE router.
int_if=fxp0
wifi_if = athn0
tcp_services={ 22, 113 }
icmp_types=echoreq
fekete=192.168.0.3
fekete_tcp={ 17001, 8333 }
fekete_udp={ 8333 }
mises=192.168.0.4
mises_tcp={ 25565 }
#options
set block-policy drop
set loginterface egress
set skip on lo
anchor ftp-proxy/*
pass in on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
table sshguard persist
#match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#filter rules
block in log
pass out quick
antispoof quick for { lo $int_if $wifi_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
block in quick on egress proto tcp from sshguard \
to any port ssh label ssh bruteforce
pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $fekete_udp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $mises_tcp
rdr-to $mises
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if
There is nothing related in the messages or daemon log.
# cat /var/log/daemon
Sep 30 22:23:08 menger savecore: no core dump
Sep 30 22:24:12 menger dhclient[31387]: DHCPREQUEST on fxp0 to
255.255.255.255 port 67
Sep 30 22:24:19 menger last message repeated 3 times
Sep 30 22:24:26 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67 interval 1
Sep 30 22:24:27 menger dhclient[31387]: DHCPDISCOVER on fxp0 to
255.255.255.255 port 67
Re: OpenBSD not forwarding to specific sites
Hi, Le 30/09/2013 15:41, Vijay Sankar a écrit : Quoting John Tate j...@johntate.org: I can ping www.google.com.au and load the page in lynx from the router but not from other machines. Whereas I can use gmail like I am at the moment fine. This is a very, very strange bug I am experiencing. I would have thought of a MTU problem at first but being able to use Gmail might prove me wrong. Denis
Re: OpenBSD not forwarding to specific sites
On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing.
Re: OpenBSD not forwarding to specific sites
It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Found it: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
This part of the manual is out of date and the syntax does not work with pf in OpenBSD 5.3: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) The documentation on pf.conf suggests doing much the same in it's example and it doesn't work. On Tue, Oct 1, 2013 at 2:07 AM, John Tate j...@johntate.org wrote: Found it: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) On Mon, Sep 30, 2013 at 11:53 PM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing. -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
On 2013-09-30 11:12, John Tate wrote: This part of the manual is out of date and the syntax does not work with pf in OpenBSD 5.3: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) It works fine for me on several boxes with 5.3. $ uname -smr OpenBSD 5.3 amd64 $ sudo pfctl -sr | grep 'max-mss 1440' match on pppoe0 all scrub (max-mss 1440) -- James Shupe
Re: OpenBSD not forwarding to specific sites
Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Quoting John Tate j...@johntate.org: It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org Are you using dhcp on fxp0? I thought I noticed log entries where fxp0 did not get the IP address it was requesting for. Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca - This message was sent using ForeTell-POST 4.9
Re: OpenBSD not forwarding to specific sites
set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) match in on? You need to match both directions. Also, stop top posting. -- James Shupe
Re: OpenBSD not forwarding to specific sites
Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? I have a similar problem here, and I still doesn't found the solution, but maybe your problem can be related to [1], in the section pf and window scaling) (you can found some information about it in [2]). Good luck, [1] http://fatsquirrel.org/veghead/wot/openbsd.php [2] http://wheel.troxo.com/2008/06/05/tcp-window-scaling-conundrum -- Roberto E. Vargas Caballero k...@shike2.com http://www.shike2.com
Re: OpenBSD not forwarding to specific sites
I've done this, now Google works, but Facebook is still not working and probably some other sites. On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado lcoron...@ticoit.com wrote: if you keep set reassemble yes no-df you can (must?) remove the match in on pppoe0 scrut (max-mss 1440 no-df reassemble tcp) -luis On Mon, Sep 30, 2013 at 11:30 AM, John Tate j...@johntate.org wrote: It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Looks like I just had to remove the match line and just use set reassemble yes no-df and restart my interfaces on clients. Everything appears to work now. Still amazes me this wasn't a problem for months. On Tue, Oct 1, 2013 at 4:34 AM, John Tate j...@johntate.org wrote: I've done this, now Google works, but Facebook is still not working and probably some other sites. On Tue, Oct 1, 2013 at 3:34 AM, Luis Coronado lcoron...@ticoit.com wrote: if you keep set reassemble yes no-df you can (must?) remove the match in on pppoe0 scrut (max-mss 1440 no-df reassemble tcp) -luis On Mon, Sep 30, 2013 at 11:30 AM, John Tate j...@johntate.org wrote: It worked for a while but since rebooting my router now none of my computers work to access google.com, gmail.com works. Many other sites are not working, it is very frustrating. Clients on the wireless also don't work, it is the same problem. I can ping all the sites I can't access the problem appears to be with HTTP. Since starting the thread I have changed my pf.conf on advice of other users to have these lines... set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) Any more ideas? On Tue, Oct 1, 2013 at 2:51 AM, John Tate j...@johntate.org wrote: Things are working fine from another one of my computers, it must be something to do with the computer I'm using. Sorry about that everyone. On Tue, Oct 1, 2013 at 2:48 AM, John Tate j...@johntate.org wrote: Yeah I am using my lan not the wlan. I've not got to even seeing if the wlan even works yet, though it used to with that configuration. The worst thing is the hosts occasionally manage to work for a split second, and stop again. I'm certain there is nothing wrong with my ISP unless they have trouble with this particular setup. It worked for months with no problems, and then they started happening. On Tue, Oct 1, 2013 at 2:44 AM, Luis Coronado lcoron...@ticoit.com wrote: Im afraid I only read the last post of the email thread about match/scrub/mtu. That is why I suggested the set option in my previous email. The fact that your router can contact the destination hosts without issues but not the internal hosts forces me to believe that there isnt, at least at this stage a mtu related problem. I see that you serve your LAN over athn0. You can find out if there are issues with your wireless setup by running ifconfig athn0 debug and watching /var/log/messages. athn0 power savings fix was submitted almost a year ago but how knows you could be the happy owner of a particular card that doesnt work as expected. Have you tried running your lan from the ethernet card instead? -luis On Mon, Sep 30, 2013 at 10:32 AM, John Tate j...@johntate.org wrote: On Tue, Oct 1, 2013 at 2:29 AM, Luis Coronado lcoron...@ticoit.com wrote: set reassemble yes no-df I tried using match and scrub rules without luck, but the 'reassemble yes no-df' solved my problems with the GRE tunnels we use among networks. Just make sure you dont have set skip on pppoe0 -luis Just trying this, something got through for a second but once again queries to google and other sites don't work. It is still unreliable. On Mon, Sep 30, 2013 at 10:26 AM, John Tate j...@johntate.org wrote: Well max-mss doesn't seem to help I can still only access gmail and not google.com.au. Also it has become suddenly selective after months with no problem so I wonder if this is the default these days. Still problems. On Tue, Oct 1, 2013 at 2:02 AM, James Shupe jsh...@hermetek.com wrote: On 2013-09-30 10:58, John Tate wrote: It would help if you told me how to do this... # ifconfig pppoe max-mms 1400 ifconfig: max-mms: bad value # ifconfig pppoe0 max-mms 1440 ifconfig: max-mms: bad value match on $ext scrub (max-mss 1400) in /etc/pf.conf Also, don't top post. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Alright at the moment things are mostly working but I've found I can't access Google Plus and Facebook never finishes loading, though at least now it loads a bit. Connections like ssh generally seem to be staying open. Is there something unusual about Facebook that anyone knows about? -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe
Re: OpenBSD not forwarding to specific sites
On 2013-09-30, Denis Fondras open...@ledeuns.net wrote: I would have thought of a MTU problem at first but being able to use Gmail might prove me wrong. no, google tend to limit MSS anyway.
Re: OpenBSD not forwarding to specific sites
Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Actually match on pppoe0 scrub (max-mss 1400 no-df) seems to also work I had 1440 entered in. Though Facebook doesn't finish loading still, and sometimes things don't work. So as I said, something else must be wrong. On Tue, Oct 1, 2013 at 10:13 AM, John Tate j...@johntate.org wrote: Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
Did some reading, my ISP seems to require a specific not default mtu of 1454. Facebook actually finishes loading now, things might be okay. On Tue, Oct 1, 2013 at 10:29 AM, John Tate j...@johntate.org wrote: Actually match on pppoe0 scrub (max-mss 1400 no-df) seems to also work I had 1440 entered in. Though Facebook doesn't finish loading still, and sometimes things don't work. So as I said, something else must be wrong. On Tue, Oct 1, 2013 at 10:13 AM, John Tate j...@johntate.org wrote: Less worked last night using that than when using set reassemble yes no-df Now it isn't working again and what you suggest doesn't seem to work either. Though gmail still works. There must be something else wrong. On Tue, Oct 1, 2013 at 6:15 AM, James Shupe jsh...@hermetek.com wrote: Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe -- www.johntate.org -- www.johntate.org -- www.johntate.org
Re: OpenBSD not forwarding to specific sites
John Tate [j...@johntate.org] wrote: It would help if you told me how to do this... Fuck your whining.
