[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

3.0 Not routing

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: 3.0 Not routing
From: Nick <nagray_(_at_)_austin_(_dot_)_rr_(_dot_)_com>
Date: Thu, 21 Feb 2002 08:41:41 -0600

All,

Usually I don't bug the list with more than one problem at a time. But this one had me up most of the night and I am still stuck.

I set my machine up as a vpn/firewall running iskmp/ipsecadm/pfctl between about 5 sites all of the machine are =< 2.9 except for mine and the one I recently upgraded. At my site I usually route normal net traffic through my Linux box (192.168.25.2) and my esp traffic through the BSD box (192.168.35.9). Everything works fine this way. My boss on the other hand routes all his traffic through his BSD box. I am getting ready to upgrade the entire system but need to solve this problem first.

From the outside or inside interface on the box I can ping yahoo but trying to ping the inside machine from the outside address fails. From the inside machines I cant ping anything on the outside. The exception to this is the VPN I can reach all the machines on one private network from another. On my network other ports work (http, ftp, etc) from the inside. On his nothing does.

conspire# ping -I 192.168.35.9 www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.225): 56 data bytes
64 bytes from 64.58.76.225: icmp_seq=0 ttl=235 time=101.533 ms
64 bytes from 64.58.76.225: icmp_seq=1 ttl=235 time=111.335 ms

conspire# ping -I 24.27.15.77 www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.224): 56 data bytes
64 bytes from 64.58.76.224: icmp_seq=0 ttl=235 time=102.152 ms
64 bytes from 64.58.76.224: icmp_seq=1 ttl=235 time=100.477 ms
64 bytes from 64.58.76.224: icmp_seq=2 ttl=235 time=107.028 ms

conspire# ping -I 192.168.35.9 192.168.35.4
PING 192.168.35.4 (192.168.35.4): 56 data bytes
64 bytes from 192.168.35.4: icmp_seq=0 ttl=128 time=2.687 ms
64 bytes from 192.168.35.4: icmp_seq=1 ttl=128 time=0.348 ms

But when I ping from the outside interface to the inside network I get.

conspire# ping -I 24.27.15.77 192.168.35.4
PING 192.168.35.4 (192.168.35.4): 56 data bytes
--- 192.168.35.4 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

conspire# cat /etc/sysctl.conf # $OpenBSD: sysctl.conf,v 1.24 2001/08/07 14:07:47 deraadt Exp $ # # This file contains a list of sysctl options the user wants set at # boot time. See sysctl(3) and sysctl(8) for more information on # the many available variables. # net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0) #net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is slow) net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol #net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol #ddb.panic=0 # 0=Do not drop into ddb on a kernel panic #ddb.console=1 # 1=Permit entry of ddb from the console #fs.posix.setuid=0 # 0=Traditional BSD chown() semantics #vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap #vfs.nfs.iothreads=4 # number of nfsio kernel threads #net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery machdep.allowaperture=2 # See xf86(4) #machdep.apmwarn=10 # battery % when apm status messages enabled #machdep.apmhalt=0 # 1=powerdown hack, try if halt -p doesn't work #machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt

here is the output from netstat -nr

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            24.27.15.1         UGS         0     3815   1500   xl0
24.27.15/24        link#1             UC          0        0   1500   xl0
24.27.15.1         8:0:3e:15:db:86    UHL         1       14   1500   xl0
24.27.15.77        127.0.0.1          UGHS        0        0  33224   lo0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          3       87  33224   lo0
192.168.35/24      link#2             UC          0        0   1500   fxp0
192.168.35.2       link#2             UHL         0        0   1500   fxp0
192.168.35.4       0:b0:d0:77:a6:15   UHL         2     8197   1500   fxp0
192.168.35.9       127.0.0.1          UGHS        0        0  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0

here is the output from pfctl -sr

@0 pass out log on fxp0 all
@1 pass in log on fxp0 all
@2 pass out log on xl0 all
@3 pass in log on xl0 all


here is the nat.conf listing
nat on xl0 from 192.168.35.0/24 to any -> xl0


xl0 is the outside and fxp0 is the inside nic

I am laying down for an hour. I am sure it is an something I am missing. I will check my mail when I get up

Thanks for any assistance
--
Vides Credendo!
Nick Gray
Senior Network Engineer
Bruzenak inc.
nagray_(_at_)_bruzenak_(_dot_)_com

Prev by Date: Re: Create a canned "Firewall Build"?
Next by Date: Re: is it a valid domain?
Previous by thread: Re: Create a canned "Firewall Build"?
Next by thread: Re: is it a valid domain?
Index(es):
- Date
- Thread

Visit your host, monkey.org