Hello, I run OpenBSD 5.6 as gateway for wireless networks. Interfaces: em0 - link to switch with Ubiquiti APs that provide 4 SSIDs vlan 2 - 10.10.12.0/24, SSID Guests vlan 3 - 10.10.13.0/24, SSID Devs vlan 4 - 10.10.14.0/24, SSID VPNs (The last SSID is Internal in internal_nw_2 192.168.168.0/24, no VLAN, with EAP-TLS authentication against (different, not the OpenBSD) RADIUS server and these clients go through different gateway via the AP switch) em1 - internet em2 - in internal_nw_1 172.16.0.0/16 em3 - in internal_nw_2 192.168.168.0/24
Guests are allowed typical internet traffic (web, mail, IM protocols...), bandwith is limited Devs are allowed to 1st internal network and selected hosts on internet VPNs are allowed only VPN protocols to internet Everything works fine except traffic from the VLANs to one media portal in our country - idnes.cz. When I had allowed NAT from the untagged internal_nw_2 and set one wireless client to use my OpenBSD as the gateway I connected to the idnes.cz website without any problems. But when I try to connect to it from any of the vlan wireless networks (allowed it temporarily from all) it just doesn't connect although any other http/s traffic to any other webserver is working without problems. I ran tcpdumps on the router and on the client, I see that vlan tags are stripped after NAT and reapplied in responses. I don't have any more ideas how should I continue in debugging and solving this stramge problem. Can anybody help me please? pf options: set block-policy return set loginterface egress set skip on lo Example of traffic that works - to ihned.cz (81.95.101.8) On vlan2 interface ------------------------ Feb 06 16:16:23.023894 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.24913 > 81.95.101.8.80: S 1686897114:1686897114(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK > (DF) Feb 06 16:16:23.024350 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 1434: 81.95.101.8.80 > 10.10.12.100.24908: . 4045:5425(1380) ack 1288 win 1114 (DF) Feb 06 16:16:23.025477 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 56: 10.10.12.100.24905 > 81.95.101.8.80: . ack 5764 win 258 (DF) Feb 06 16:16:23.025956 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 493: 10.10.12.100.24905 > 81.95.101.8.80: P 1280:1719(439) ack 5764 win 258 (DF) Feb 06 16:16:23.028124 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 1063: 81.95.101.8.80 > 10.10.12.100.24908: P 5425:6434(1009) ack 1288 win 1114 (DF) Feb 06 16:16:23.028823 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 1434: 81.95.101.8.80 > 10.10.12.100.24907: . 28682:30062(1380) ack 2162 win 1248 (DF) Feb 06 16:16:23.029815 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 56: 10.10.12.100.24908 > 81.95.101.8.80: . ack 6434 win 258 (DF) Feb 06 16:16:23.031059 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 498: 10.10.12.100.24912 > 54.228.187.145.80: P 831:1275(444) ack 1275 win 251 (DF) Feb 06 16:16:23.031301 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 814: 81.95.101.8.80 > 10.10.12.100.24907: P 30062:30822(760) ack 2162 win 1248 (DF) Feb 06 16:16:23.035400 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 1434: 81.95.101.8.80 > 10.10.12.100.24906: . 26405:27785(1380) ack 2150 win 1248 (DF) Feb 06 16:16:23.035406 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 1016: 81.95.101.8.80 > 10.10.12.100.24906: P 27785:28747(962) ack 2150 win 1248 (DF) Feb 06 16:16:23.037786 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 56: 10.10.12.100.24907 > 81.95.101.8.80: . ack 30822 win 258 (DF) Feb 06 16:16:23.038120 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 66: 81.95.101.8.80 > 10.10.12.100.24913: S 1565502224:1565502224(0) ack 1686897115 win 14600 <mss 1380,nop,nop,sac kOK,nop,wscale 4> (DF) On inet_if interface ------------------------- Feb 06 16:16:23.023963 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 66: x.y.z.161.50198 > 81.95.101.8.80: S 1686897114:1686897114(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:16:23.024306 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1434: 81.95.101.8.80 > x.y.z.161.55093: . 4045:5425(1380) ack 1288 win 1114 (DF) Feb 06 16:16:23.024639 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1063: 81.95.101.8.80 > x.y.z.161.55093: P 5425:6434(1009) ack 1288 win 1114 (DF) Feb 06 16:16:23.025508 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 54: x.y.z.161.63797 > 81.95.101.8.80: . ack 5764 win 258 (DF) Feb 06 16:16:23.025978 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 493: x.y.z.161.63797 > 81.95.101.8.80: P 1280:1719(439) ack 5764 win 258 (DF) Feb 06 16:16:23.028780 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1434: 81.95.101.8.80 > x.y.z.161.52735: . 28682:30062(1380) ack 2162 win 1248 (DF) Feb 06 16:16:23.028830 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 814: 81.95.101.8.80 > x.y.z.161.52735: P 30062:30822(760) ack 2162 win 1248 (DF) Feb 06 16:16:23.029838 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 54: x.y.z.161.55093 > 81.95.101.8.80: . ack 6434 win 258 (DF) Feb 06 16:16:23.031269 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1434: 81.95.101.8.80 > x.y.z.161.60762: . 26405:27785(1380) ack 2150 win 1248 (DF) Feb 06 16:16:23.031330 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1016: 81.95.101.8.80 > x.y.z.161.60762: P 27785:28747(962) ack 2150 win 1248 (DF) Feb 06 16:16:23.031335 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 66: 81.95.101.8.80 > x.y.z.161.50198: S 1565502224:1565502224(0) ack 1686897115 win 14600 <mss 1380,nop,nop,sackOK,nop,wscale 4> (DF) Feb 06 16:16:23.035367 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 1434: 81.95.101.8.80 > x.y.z.161.63797: . 5764:7144(1380) ack 1719 win 1181 (DF) Feb 06 16:16:23.035723 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 792: 81.95.101.8.80 > x.y.z.161.63797: P 7144:7882(738) ack 1719 win 1181 (DF) Feb 06 16:16:23.037817 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 54: x.y.z.161.52735 > 81.95.101.8.80: . ack 30822 win 258 (DF) Traffic to www.idnes.cz (194.79.52.192) doesn't work. on vlan2 interface ------------------ Feb 06 16:28:14.386118 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.25276 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:14.394991 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25276: S 1826910465:1826910465(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:14.654927 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.25277 > 194.79.52.192.80: S 3580442166:3580442166(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:14.663901 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25277: S 3853049834:3853049834(0) ack 3580442167 win 8192 <mss 1460> (DF) Feb 06 16:28:17.378658 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.25276 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:17.396329 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25276: S 1826910465:1826910465(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:17.658713 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.25277 > 194.79.52.192.80: S 3580442166:3580442166(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:17.666024 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25277: S 3853049834:3853049834(0) ack 3580442167 win 8192 <mss 1460> (DF) Feb 06 16:28:19.875257 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 54: 194.79.52.192.80 > 10.10.12.100.25276: R 1:1(0) ack 1 win 8192 Feb 06 16:28:20.378666 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.25276 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Feb 06 16:28:20.387692 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25276: S 1595602:1595602(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:23.388929 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.25276: S 1595602:1595602(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:23.658788 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.25277 > 194.79.52.192.80: S 3580442166:3580442166(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Feb 06 16:28:24.230959 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 100: 173.255.112.173.443 > 10.10.12.100.23180: P 1388794597:1388794643(46) ack 2101850304 win 248 Feb 06 16:28:24.438625 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 56: 10.10.12.100.23180 > 173.255.112.173.443: . ack 46 win 260 (DF) on inet_if interface -------------------- Feb 06 16:28:14.386170 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 66: x.y.z..161.60664 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:14.394965 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 62: 194.79.52.192.80 > x.y.z..161.60664: S 1826910465:1826910465(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:14.654990 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 66: x.y.z..161.60396 > 194.79.52.192.80: S 3580442166:3580442166(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:14.663878 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 62: 194.79.52.192.80 > x.y.z..161.60396: S 3853049834:3853049834(0) ack 3580442167 win 8192 <mss 1460> (DF) Feb 06 16:28:17.378699 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 66: x.y.z..161.60664 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:17.396299 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 62: 194.79.52.192.80 > x.y.z..161.60664: S 1826910465:1826910465(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:17.658770 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 66: x.y.z..161.60396 > 194.79.52.192.80: S 3580442166:3580442166(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> (DF) Feb 06 16:28:17.665996 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 62: 194.79.52.192.80 > x.y.z..161.60396: S 3853049834:3853049834(0) ack 3580442167 win 8192 <mss 1460> (DF) Feb 06 16:28:19.875206 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 60: 194.79.52.192.80 > x.y.z..161.60664: R 1:1(0) ack 1 win 8192 Feb 06 16:28:20.378749 00:50:56:a4:00:08 00:15:62:2e:8c:38 0800 62: x.y.z..161.62587 > 194.79.52.192.80: S 3890632948:3890632948(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Feb 06 16:28:20.387660 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 62: 194.79.52.192.80 > x.y.z..161.62587: S 1595602:1595602(0) ack 3890632949 win 8192 <mss 1460> (DF) Feb 06 16:28:20.572974 00:15:62:2e:8c:38 00:50:56:a4:00:08 0800 60: 194.79.52.192.80 > x.y.z..161.60396: R 441917462:441917462(0) ack 1 win 8192 Wireshark dump from the client ----------------------------------------- Mar 04 12:36:48.001832 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52311 > 194.79.52.192.80: S 805607111:805607111(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:36:48.012291 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52311: S 2681860080:2681860080(0) ack 805607112 win 8192 <mss 1460> Mar 04 12:36:48.302074 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52312 > 194.79.52.192.80: S 2662809993:2662809993(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackO Mar 04 12:36:48.384225 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52312: S 726088342:726088342(0) ack 2662809994 win 8192 <mss 1460> Mar 04 12:36:51.021972 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52311 > 194.79.52.192.80: S 805607111:805607111(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:36:51.024164 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52311: S 2681860080:2681860080(0) ack 805607112 win 8192 <mss 1460> Mar 04 12:36:51.321998 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52312 > 194.79.52.192.80: S 2662809993:2662809993(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackO Mar 04 12:36:51.397203 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52312: S 726088342:726088342(0) ack 2662809994 win 8192 <mss 1460> Mar 04 12:36:53.535655 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 54: 194.79.52.192.80 > 10.10.12.100.52312: R 1:1(0) ack 1 win 8192 Mar 04 12:36:54.122153 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.52312 > 194.79.52.192.80: S 2662809993:2662809993(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Mar 04 12:36:54.134889 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52312: S 2603115050:2603115050(0) ack 2662809994 win 8192 <mss 1460> Mar 04 12:36:57.022320 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.52311 > 194.79.52.192.80: S 805607111:805607111(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Mar 04 12:36:57.134681 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52312: S 2603115050:2603115050(0) ack 2662809994 win 8192 <mss 1460> Mar 04 12:36:59.903044 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 54: 194.79.52.192.80 > 10.10.12.100.52312: R 1:1(0) ack 1 win 8192 Mar 04 12:36:59.956381 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52313 > 194.79.52.192.80: S 914441433:914441433(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:36:59.976831 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52313: S 3228072609:3228072609(0) ack 914441434 win 8192 <mss 1460> Mar 04 12:37:02.969049 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52313: S 3228072609:3228072609(0) ack 914441434 win 8192 <mss 1460> Mar 04 12:37:03.027663 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52313 > 194.79.52.192.80: S 914441433:914441433(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:37:09.024026 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.52313 > 194.79.52.192.80: S 914441433:914441433(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Mar 04 12:37:09.076373 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52314 > 194.79.52.192.80: S 253283315:253283315(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:37:09.109720 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52314: S 3946882841:3946882841(0) ack 253283316 win 8192 <mss 1460> Mar 04 12:37:12.093843 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52314: S 3946882841:3946882841(0) ack 253283316 win 8192 <mss 1460> Mar 04 12:37:12.120178 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52314 > 194.79.52.192.80: S 253283315:253283315(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> Mar 04 12:37:18.127537 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.52314 > 194.79.52.192.80: S 253283315:253283315(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Mar 04 12:37:30.131651 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52316 > 194.79.52.192.80: S 3462793978:3462793978(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackO Mar 04 12:37:30.143911 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52316: S 2881397290:2881397290(0) ack 3462793979 win 8192 <mss 1460> Mar 04 12:37:33.138401 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 66: 10.10.12.100.52316 > 194.79.52.192.80: S 3462793978:3462793978(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackO Mar 04 12:37:33.144696 00:50:56:a4:00:05 00:22:fb:3d:2f:38 0800 58: 194.79.52.192.80 > 10.10.12.100.52316: S 2881397290:2881397290(0) ack 3462793979 win 8192 <mss 1460> Mar 04 12:37:39.132726 00:22:fb:3d:2f:38 00:50:56:a4:00:05 0800 62: 10.10.12.100.52316 > 194.79.52.192.80: S 3462793978:3462793978(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) Martin P.
