Re: Routing with external interface doesn't work after a while
Martin Turgeon wrote: I've been reading the mailing list for a while, but it's my first post. I'm not sure what is causing the problem so I'm posting to multiple lists. I'm running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes after a while (a couple of weeks) the routing isn't working anymore, but only with the external interface (the one connected to my cable modem from Videotron in Montreal). The box is acting as the gateway of the network with PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred on FreeBSD 6.0 on another box. Is your external ip configured with dhcp? I would guess this is because your ip on the external interface changes. Your NAT rules will still go to the old ip and hence nowhere. If reloading your pf ruleset solves the problem, then this is a strong indication. There is some trick to handle that, IIRC something like this would do: ext_if=fxp0 # external interface nat on $ext_if from lan to !lan - ($ext_if) The () means that pf will lookup the ip on that interface, and update dynamically when the ip changes. Well, that's how I remember it, I couldn't find where I've seen it, but there is a trick like this. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing with external interface doesn't work after a while
Erik Norgaard wrote: There is some trick to handle that, IIRC something like this would do: ext_if=fxp0 # external interface nat on $ext_if from lan to !lan - ($ext_if) The () means that pf will lookup the ip on that interface, and update dynamically when the ip changes. That is correct. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing with external interface doesn't work after a while
The NAT rules are already written that way: nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN - ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN - ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN - ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN - ($wan_if) Thanks anyway Martin -Message d'origine- De : Erik Norgaard [mailto:[EMAIL PROTECTED] Envoyé : 18 octobre 2006 10:30 À : Martin Turgeon Cc : freebsd-pf@freebsd.org; [EMAIL PROTECTED]; freebsd-questions@freebsd.org Objet : Re: Routing with external interface doesn't work after a while Martin Turgeon wrote: I've been reading the mailing list for a while, but it's my first post. I'm not sure what is causing the problem so I'm posting to multiple lists. I'm running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes after a while (a couple of weeks) the routing isn't working anymore, but only with the external interface (the one connected to my cable modem from Videotron in Montreal). The box is acting as the gateway of the network with PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred on FreeBSD 6.0 on another box. Is your external ip configured with dhcp? I would guess this is because your ip on the external interface changes. Your NAT rules will still go to the old ip and hence nowhere. If reloading your pf ruleset solves the problem, then this is a strong indication. There is some trick to handle that, IIRC something like this would do: ext_if=fxp0 # external interface nat on $ext_if from lan to !lan - ($ext_if) The () means that pf will lookup the ip on that interface, and update dynamically when the ip changes. Well, that's how I remember it, I couldn't find where I've seen it, but there is a trick like this. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing with external interface doesn't work after a while
Martin Turgeon wrote: I've been reading the mailing list for a while, but it's my first post. I'm not sure what is causing the problem so I'm posting to multiple lists. I'm running FreeBSD 6.1 on a Celeron 2.8GHz with 512Mo of RAM. It looks likes after a while (a couple of weeks) the routing isn't working anymore, but only with the external interface (the one connected to my cable modem from Videotron in Montreal). The box is acting as the gateway of the network with PF, OpenVPN 2.0.5-1 and ISC-DHCPd 3.0.3-1 running. The problem also occurred on FreeBSD 6.0 on another box. OK, this can take a long time to solve if the problem reoccurs after some weeks - can you reproduce at a faster rate? The routing table looks ok. The external interface is still receiving ARP requests but nothing is going out from my internal network. OK, so your internal network can't get out. But can you get out from the gateway? I mean, try login to the gateway and ping the default gateway. Do you get replies? do you see packets going out when sniffing? Here's what I tried with no result: I tried to flush the states with pfctl -Fs I tried to reload the NAT with pfctl -N The solution was to renew the address of the external interface with dhclient fxp0. I looked back at the routing table after the dhclient fxp0 and nothing changed except the address of the default gateway because my IP address changed of subnetwork. While the gateway is working take dump output of ifconfig and route get default into a file. When it stops working do it again. Repeat after you have restored the connection. Did any thing change from it worked till it stopped working? Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing with external interface doesn't work after a while
Martin Turgeon wrote: The NAT rules are already written that way: nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN - ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN - ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN - ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN - ($wan_if) How are your tags created? If somewhere in the nat/tag/filtering process you've missed the dynamic update of the external ip it may fail there... Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing with external interface doesn't work after a while
You're right on this, the filtering rules aren't written with the brackets. But isn't pf routing the packets to an interface instead of an IP address. Thanks a lot Martin -Message d'origine- De : Erik Norgaard [mailto:[EMAIL PROTECTED] Envoyé : 18 octobre 2006 12:41 À : Martin Turgeon Cc : freebsd-pf@freebsd.org; [EMAIL PROTECTED]; freebsd-questions@freebsd.org Objet : Re: Routing with external interface doesn't work after a while Martin Turgeon wrote: The NAT rules are already written that way: nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN - ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN - ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN - ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN - ($wan_if) How are your tags created? If somewhere in the nat/tag/filtering process you've missed the dynamic update of the external ip it may fail there... Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing with external interface doesn't work after a while
Martin Turgeon wrote: You're right on this, the filtering rules aren't written with the brackets. But isn't pf routing the packets to an interface instead of an IP address. I can't tell you if this affects your setup since I have't seen the ruleset. You're going to tag then nat and then filter the packets. If any of these steps you apply non-dynamic rules, that is you use $ext_if instead of ($ext_if) for the ip address on the external interface, then you're likely to have things behave unexpectedly. Things suddenly stop working after weeks without problems, just sounds very much like your firewall setup doesn't follow changes of the interface configuration. Without knowing the details of your setup, I can't tell you much more. What also confuses me is that you have tags in your nat rules - you might add a tag for later use in filtering, but you also check if a tag exist, and I don't know how or where this is set. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
