Re: brindging ath0 with re0 working, kinda, almost
Reinhold wrote: Any help would be appreciated. I don't have any more suggestions, except the obvious: is there a firewall somewhere in there, and are the routing tables ok? signature.asc Description: OpenPGP digital signature
Re: brindging ath0 with re0 working, kinda, almost
On Fri, April 25, 2008 12:30, Ivan Voras wrote: Reinhold wrote: Any help would be appreciated. I don't have any more suggestions, except the obvious: is there a firewall somewhere in there, and are the routing tables ok? yeah I have pf running, it needs to be on because its doing the load balancing on the two wan connections. Here is the netstat output for the routing table Internet: DestinationGatewayFlagsRefs Use Netif Expire default121.212.313.414 UGS 0 162114ng1 127.0.0.1 127.0.0.1 UH 0 635lo0 192.168.1.0/24 link#12UC 00 bridge 192.168.1.1d6.f4.fc.7c.95.38 UHLW12lo0 192.168.1.50.11.9.3b.f7.f0UHLW163563 bridge848 snip loads of local ips end snip 192.168.1.199 0.f.ea.66.8.7d UHLW115958 bridge869 112.221.331.441 111.222.333.444 UH 00ng0 121.212.313.414 22.333.444.555 UH 10ng1 Cheers Reinhold ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: brindging ath0 with re0 working, kinda, almost
On Fri, April 25, 2008 14:57, Reinhold wrote:
On Fri, April 25, 2008 12:30, Ivan Voras wrote:
I don't have any more suggestions, except the obvious: is there a
firewall somewhere in there, and are the routing tables ok?
yeah I have pf running, it needs to be on because its doing the load
balancing on the two wan connections.
Here is the netstat output for the routing table
Internet:
DestinationGatewayFlagsRefs Use Netif Expire
default121.212.313.414 UGS 0 162114ng1
127.0.0.1 127.0.0.1 UH 0 635lo0
192.168.1.0/24 link#12UC 00 bridge
192.168.1.1d6.f4.fc.7c.95.38 UHLW12lo0
192.168.1.50.11.9.3b.f7.f0UHLW163563 bridge848
snip
loads of local ips end snip
192.168.1.199 0.f.ea.66.8.7d UHLW115958 bridge869
112.221.331.441 111.222.333.444 UH 00ng0
121.212.313.414 22.333.444.555 UH 10ng1
So, I disabled pf and then it started working but the internet stopped
working, hehe. This is not fair at all.
here is the load-balancing part of pf
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# default deny
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if1 inet from any to 255.255.255.255
block in quick on $ext_if2 inet from any to 255.255.255.255
# bruteforce
#
block quick from bruteforce to any
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if1 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if1 proto udp from any to any port {
137, 138, 139, 1434 }
block return-rst in quick on $ext_if2 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if2 proto udp from any to any port {
137, 138, 139, 1434 }
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
#
block in log quick on $ext_if1 inet from $unroutable to any
block in log quick on $ext_if2 inet from $unroutable to any
# block and log outgoing packets that don't have my address as source,
they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if1 inet from !(ng0) to any
block out log quick on $ext_if2 inet from !(ng1) to any
# OUT GOING ROUTING
#
# HTTS OVER WAN1
pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 443 keep state
# SSH OVER WAN1
pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 4424 keep state
pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to any port = 22 keep state
# BLA OVER WAN1 for user1
pass in quick on $int_if route-to { ( $ext_if1 $ext_gw1 ) } proto tcp
from $lan_net to some-ip-address keep state
#
# LOAD BALANCING
#
# pass all outgoing packets on internal interface
pass out log on $int_if from any to $lan_net
# pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto tcp from $lan_net to any keep state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) }
round-robin proto { udp, icmp } from $lan_net to any keep state
# general pass out rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
I need them :S like I said if pf is disabled then the internet stops working.
Regards
Reinhold
___
freebsd-questions@freebsd.org mailing list
Re: brindging ath0 with re0 working, kinda, almost
On Fri, 25 Apr 2008 19:05:47 +0100 (BST) Reinhold [EMAIL PROTECTED] wrote:
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if1 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if1 proto udp from any to any port {
137, 138, 139, 1434 }
block return-rst in quick on $ext_if2 proto tcp from any to any port {
111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if2 proto udp from any to any port {
137, 138, 139, 1434 }
Just an almost-OT aside, and I don't use pf, but port 139 (netbios-ssn)
is done on TCP, not UDP. My current same-intent sections for ipfw are:
# first take out the vast bulk of inbound TCP bogons / scan noise:
crap=135,139,445,1433,2967,2968,4899,5900
crap=${crap},1080,8000,8080,3128
${fwadd} deny log $afew tcp from any to any $crap in via ${ext_if} setup
${fwadd} deny log $lots tcp from any to any in via ${ext_if} setup
[..]
# first cut out most of the heavy duty UDP noise (incl broken insiders)
junk=137,138,1433,1434
junk=${junk},3544 # XP home calls home? MS ipV6 'Toredo'
${fwadd} deny log $afew udp from any to any $junk via ${ext_if}
Some of the handbook firewall examples are mistaken about port 139 too.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: brindging ath0 with re0 working, kinda, almost
Reinhold wrote: I have a bridge set up on re0 and ath0 to get bridge0, here is my ifconfig ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 2290 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 The bridge is working in that both lan and wlan can access the internet perfectly well but the problem lies with accessing each other. Depending on what your symptoms are, maybe you need to set the mtu of all three interfaces to the same value (1500). signature.asc Description: OpenPGP digital signature
Re: brindging ath0 with re0 working, kinda, almost
On Thu, April 24, 2008 10:03, Ivan Voras wrote: Reinhold wrote: I have a bridge set up on re0 and ath0 to get bridge0, here is my ifconfig ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 2290 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 The bridge is working in that both lan and wlan can access the internet perfectly well but the problem lies with accessing each other. Depending on what your symptoms are, maybe you need to set the mtu of all three interfaces to the same value (1500). Hi Thanks for the quick reply. The symptoms are as follows When connected to the wlan I can ping the firewall but not one of our servers, the server ip times out This is a ping from one of the laptops connected to the wlan ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms ping 192.168.1.5 Pinging 192.168.1.5 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.1.5: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), When I plug it in on the lan its works perfect with no time outs. How come is the MTU so low on the ath0, but its working at full speed? The wlan signal is stronger then any of our other wireless devices I've ever used before Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: brindging ath0 with re0 working, kinda, almost
On Thu, April 24, 2008 11:23, Reinhold wrote: On Thu, April 24, 2008 10:03, Ivan Voras wrote: Reinhold wrote: I have a bridge set up on re0 and ath0 to get bridge0, here is my ifconfig ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 2290 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 The bridge is working in that both lan and wlan can access the internet perfectly well but the problem lies with accessing each other. Depending on what your symptoms are, maybe you need to set the mtu of all three interfaces to the same value (1500). Hi Thanks for the quick reply. The symptoms are as follows When connected to the wlan I can ping the firewall but not one of our servers, the server ip times out This is a ping from one of the laptops connected to the wlan ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Reply from 192.168.1.1: bytes=32 time1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms ping 192.168.1.5 Pinging 192.168.1.5 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.1.5: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), When I plug it in on the lan its works perfect with no time outs. How come is the MTU so low on the ath0, but its working at full speed? The wlan signal is stronger then any of our other wireless devices I've ever used before Regards Hi I have changed the mtu on ath0 but it had no affect at all. I ran tcpdump on it and this is what I'm seeing # tcpdump -n -e -t -i ath0 00:19:db:04:86:9e ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.5 tell 192.168.1.177 00:19:db:04:86:9e ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.5 tell 192.168.1.177 00:11:09:3b:f7:f0 00:19:db:04:86:9e, ethertype ARP (0x0806), length 60: arp reply 192.168.1.5 is-at 00:11:09:3b:f7:f0 00:19:db:04:86:9e 00:11:09:3b:f7:f0, ethertype IPv4 (0x0800), length 66: 192.168.1.177.1305 192.168.1.5.80: S 3158085845:3158085845(0) win 65535 mss 1460,nop,wscale 2,nop,nop,sackOK Any help would be appreciated. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
