Re: nat trouble accessing web

2007-06-27 Thread Lawrence Horvath 

I resolved this at least for now by setting no-df on my scrub, im
still investigating the mtu


On 26/06/07, Daniel Melameth [EMAIL PROTECTED] wrote:

Sounds like a possible MTU issue...  Liberal use of tcpdump should
help in diagnosing the problem.

On 6/25/07, Lawrence Horvath [EMAIL PROTECTED] wrote:
 Im having some trouble accessing certain sites from my laptop going
 through a obsd router doing nat

 I have 2 tested configurations

 Laptop---Cisco1721[doing nat]---internet  msn.com
 and
 Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet  
msn.com

 in the first setup, i have a local network behind a cisco1721, the
 cisco does nat, and all works well

 in the second setup, i have an internal network that spans via gre
 from the cisco to an Openbsd router in colo which does the nat, this
 is not working for me at all, when i try to go to msn.com, my browser
 just sits there, i have tried this from 1 other computer as well


 OpenBSD 4.0 GENERIC.MP#936 i386

 # cat /etc/pf.conf.test
 # Macros
 # Tables
 # Options
 # Traffic Normalization(scrub)
 # Queueing
 # Translation(nat-binat-rdr)
 # Packet Filtering

 ext_if=tl0
 tun_if=gre0

 int_ip={ 10/8 192.168/16 }
 natpool_ip=208.179.68.11
 local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }

 set optimization high-latency
 no nat on $ext_if from $local_ip to $local_ip
   nat on $ext_if from $int_ip to any - $natpool_ip


 pass in all
 pass out all



 im using ospfd to route over the gre

 with either situation, i can get good name resolution, and i can
 telnet to the msn server on 0 and issue a get request successfully  i
 can get to almost any other website in either config, google, yahoo,
 etc, there are only a few i cant get to

 if there is any other info requested, im happy to provide
 thank you





--
-Lawrence
-Student ID 1028219
-CCNA

Re: nat trouble accessing web

2007-06-27 Thread Stuart Henderson 
On 2007/06/26 23:40, Lawrence Horvath wrote:
 I resolved this at least for now by setting no-df on my scrub, im
 still investigating the mtu

google: mtu eyechart

Re: nat trouble accessing web

2007-06-27 Thread Jorge Valbuena 
Hello Daniel,

i have the following configuration:

LAN[ProxyOpenBSD]---[FirewallOpenBSD]-(internet)

Your configuration is similar to mine, on the Proxy machine i do not use nat (i 
dont need it), the proxy machine is my default gateway.On the Firewall i have a 
rule that allows pass all the traffic that comes from the proxy.

Just for giving you a clue, i will post my pf.conf from my firewall.

I guess you have to set up your cisco to allow pass just the traffic you want, 
and tells the bsd to let pass what comes from cisco to any distanation.

My proxy is just a router, with few rules that blocks source and destinations.


I hope this can help ...

# Macros

ext_if=xl0
dmz_if=fxp0
int_if=fxp0
ext_ip=x.x.x.x
#External NAME SERVERS
NsV={ 200.75.51.132 , 200.75.51.133 ,200.21.200.2 }
Lan=192.168.0.0/24
#SSH from LAN
SshC=192.168.0.3
#dmz
SdOd=192.168.10.252
Proxy=10.4.1.3


#OPtioins

#Don't Filter on the loopback interface
set block-policy drop
set skip on lo



scrub in all
scrub out on $ext_if all random-id

nat on $ext_if from !($ext_if) - $ext_ip

block in on { rl0, fxp0, xl0 } all
block out on { rl0, fxp0, xl0 } all
pass out keep state

#pass quick on $int_if
antispoof quick for { lo $int_if $dmz_if}


# HTTP, HTTPS
pass in on $int_if proto tcp from $Proxy to any port {80,8880,443 ,1863} keep 
state
pass out on $ext_if proto tcp from $Proxy to any port {80,8880,443 ,1863}  keep 
state

#dns 
pass in on $int_if proto udp from $Unxs to $NsV port 53 keep state
pass out on $ext_if proto udp from $Unxs to $NsV port 53  keep state







Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet 
 msn.com




 Original-Nachricht 
Datum: Tue, 26 Jun 2007 21:30:52 -0600
Von: Daniel Melameth [EMAIL PROTECTED]
An: misc@openbsd.org
Betreff: Re: nat trouble accessing web

 Sounds like a possible MTU issue...  Liberal use of tcpdump should
 help in diagnosing the problem.
 
 On 6/25/07, Lawrence Horvath [EMAIL PROTECTED] wrote:
  Im having some trouble accessing certain sites from my laptop going
  through a obsd router doing nat
 
  I have 2 tested configurations
 
  Laptop---Cisco1721[doing nat]---internet  msn.com
  and
  Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet 
 msn.com
 
  in the first setup, i have a local network behind a cisco1721, the
  cisco does nat, and all works well
 
  in the second setup, i have an internal network that spans via gre
  from the cisco to an Openbsd router in colo which does the nat, this
  is not working for me at all, when i try to go to msn.com, my browser
  just sits there, i have tried this from 1 other computer as well
 
 
  OpenBSD 4.0 GENERIC.MP#936 i386
 
  # cat /etc/pf.conf.test
  # Macros
  # Tables
  # Options
  # Traffic Normalization(scrub)
  # Queueing
  # Translation(nat-binat-rdr)
  # Packet Filtering
 
  ext_if=tl0
  tun_if=gre0
 
  int_ip={ 10/8 192.168/16 }
  natpool_ip=208.179.68.11
  local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }
 
  set optimization high-latency
  no nat on $ext_if from $local_ip to $local_ip
nat on $ext_if from $int_ip to any - $natpool_ip
 
 
  pass in all
  pass out all
 
 
 
  im using ospfd to route over the gre
 
  with either situation, i can get good name resolution, and i can
  telnet to the msn server on 0 and issue a get request successfully  i
  can get to almost any other website in either config, google, yahoo,
  etc, there are only a few i cant get to
 
  if there is any other info requested, im happy to provide
  thank you

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

Re: nat trouble accessing web

2007-06-26 Thread Daniel Melameth 

Sounds like a possible MTU issue...  Liberal use of tcpdump should
help in diagnosing the problem.

On 6/25/07, Lawrence Horvath [EMAIL PROTECTED] wrote:

Im having some trouble accessing certain sites from my laptop going
through a obsd router doing nat

I have 2 tested configurations

Laptop---Cisco1721[doing nat]---internet  msn.com
and
Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet  msn.com

in the first setup, i have a local network behind a cisco1721, the
cisco does nat, and all works well

in the second setup, i have an internal network that spans via gre
from the cisco to an Openbsd router in colo which does the nat, this
is not working for me at all, when i try to go to msn.com, my browser
just sits there, i have tried this from 1 other computer as well


OpenBSD 4.0 GENERIC.MP#936 i386

# cat /etc/pf.conf.test
# Macros
# Tables
# Options
# Traffic Normalization(scrub)
# Queueing
# Translation(nat-binat-rdr)
# Packet Filtering

ext_if=tl0
tun_if=gre0

int_ip={ 10/8 192.168/16 }
natpool_ip=208.179.68.11
local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }

set optimization high-latency
no nat on $ext_if from $local_ip to $local_ip
  nat on $ext_if from $int_ip to any - $natpool_ip


pass in all
pass out all



im using ospfd to route over the gre

with either situation, i can get good name resolution, and i can
telnet to the msn server on 0 and issue a get request successfully  i
can get to almost any other website in either config, google, yahoo,
etc, there are only a few i cant get to

if there is any other info requested, im happy to provide
thank you

nat trouble accessing web

2007-06-25 Thread Lawrence Horvath 

Im having some trouble accessing certain sites from my laptop going
through a obsd router doing nat

I have 2 tested configurations

Laptop---Cisco1721[doing nat]---internet  msn.com
and
Laptop---Cisco1721--(gre0)Openbsd[doing nat]---internet  msn.com

in the first setup, i have a local network behind a cisco1721, the
cisco does nat, and all works well

in the second setup, i have an internal network that spans via gre
from the cisco to an Openbsd router in colo which does the nat, this
is not working for me at all, when i try to go to msn.com, my browser
just sits there, i have tried this from 1 other computer as well


OpenBSD 4.0 GENERIC.MP#936 i386

# cat /etc/pf.conf.test
# Macros
# Tables
# Options
# Traffic Normalization(scrub)
# Queueing
# Translation(nat-binat-rdr)
# Packet Filtering

ext_if=tl0
tun_if=gre0

int_ip={ 10/8 192.168/16 }
natpool_ip=208.179.68.11
local_ip={ 10/8 192.168/16 208.179.68.8/29 208.179.25/24 }

set optimization high-latency
no nat on $ext_if from $local_ip to $local_ip
  nat on $ext_if from $int_ip to any - $natpool_ip


pass in all
pass out all





im using ospfd to route over the gre

with either situation, i can get good name resolution, and i can
telnet to the msn server on 0 and issue a get request successfully  i
can get to almost any other website in either config, google, yahoo,
etc, there are only a few i cant get to

if there is any other info requested, im happy to provide
thank you
lawrence