OK. I've set this OBSD 3.6 machine up as a gateway/firewall as per the
instructions in the Networking section of the FAQ, and the PF User's
Guide. I set it up internally and tested it first as a gateway between
192.168.0.0/24 (ext_if) and 192.168.1.0/24 (int_if). It worked fine.
Now I've got the OBSD box connected to the cable modem (ext_if), and to
a Linksys switch (int_if) with some Linux clients on the inside.
I'm getting massive packet loss between the OBSD box and the Internet
(both directions) which is not present when connecting any other clients
(e.g. Debian boxen) directly, or a consumer router (D-Link DI-624).
With the given below, can anyone suggest a cause of the problem and
solution?
##############################################
# INFORMATION FROM THE OBSD FIREWALL/GATEWAY #
##############################################
# uname -a
OpenBSD zephyr.earthlink.net 3.6 GENERIC#59 i386
# ping -c100 google.com
...
--- google.com ping statistics ---
100 packets transmitted, 36 packets received, 64.0% packet loss
round-trip min/avg/max/std-dev = 12.053/13.900/16.717/1.104 ms
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:10:5a:26:f9:2a
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::210:5aff:fe26:f92a%xl0 prefixlen 64 scopeid 0x1
inet [MY PUBLIC IP] netmask 0xfffffc00 broadcast 255.255.255.255
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:50:04:08:b5:a2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:4ff:fe08:b5a2%xl1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
# route show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default user-12ld2o1.cable UGS 0 1906 - xl0
user-12ld200.cable link#1 UC 0 0 - xl0
user-12ld201.cable 00:09:12:86:08:54 UHLc 0 0 - xl0
user-12ld2o1.cable 00:09:5b:ec:46:bb UHLc 0 0 - xl0
user-12ld2or.cable localhost UGHS 0 0 33224 lo0
user-12ld2r0.cable link#1 UHLc 0 2 - xl0
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 0 55 33224 lo0
192.168.1/24 link#2 UC 0 0 - xl1
zephyr localhost UGHS 0 0 33224 lo0
192.168.1.103 00:50:eb:0b:3e:a6 UHLc 0 10998 - xl1
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
NOTE: The routing information above takes a long time to print out. It
prints one line every 15-20 seconds. :\
# cat /etc/pf.conf
# macros
int_if = "xl1"
ext_if = "xl0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# cat mygate
xx.xx.xx.1
(First 24 bits of my ext_if IP address dot 1)
# dmesg
OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004
deraadt_(_at_)_i386_(_dot_)_openbsd_(_dot_)_org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 234 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
cpu0: F00F bug workaround installed
real mem = 268017664 (261736K)
avail mem = 237666304 (232096K)
using 3297 buffers containing 13504512 bytes (13188K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(29) BIOS, date 10/20/97, BIOS32 rev. 0 @ 0xfb1b0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb628
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd8e0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 0
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82439TX System" rev 0x01
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <Maxtor 90432D3>
wd0: 16-sector PIO, LBA, 4121MB, 8440992 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SONY, CD-ROM CDU5211, YYS7> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x01 at pci0 dev 7 function 3 not configured
vga1 at pci0 dev 9 function 0 "S3 Trio64V2/DX" rev 0x06
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 10 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 9,
address 00:10:5a:26:f9:2a
exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci0 dev 11 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11,
address 00:50:04:08:b5:a2
exphy1 at xl1 phy 24: 3Com internal media interface
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fd65 netmask ff65 ttymask ffe7
pctr: 586-class performance counters and user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
#
##############################################################
# INFORMATION FROM A CLIENT BEHIND THE OBSD FIREWALL/GATEWAY #
##############################################################
yew:/etc# uname -a
Linux yew 2.6.8-1-386 #1 Thu Nov 11 12:18:43 EST 2004 i686 GNU/Linux
yew:/etc# ping google.com
...
--- google.com ping statistics ---
600 packets transmitted, 200 received, 66% packet loss, time 655634ms
rtt min/avg/max/mdev = 82.999/85.816/95.378/2.490 ms
yew:/etc# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:EB:0B:3E:A6
inet addr:192.168.1.103 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:ebff:fe0b:3ea6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22781 errors:0 dropped:0 overruns:0 frame:0
TX packets:29287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3156774 (3.0 MiB) TX bytes:2592829 (2.4 MiB)
Interrupt:11 Base address:0xcc00
yew:/etc# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0
eth0