View Single Post
  #4   (View Single Post)  
Old 15th May 2009
spid3r spid3r is offline
New User
 
Join Date: May 2009
Posts: 1
Default

I have a issue regarding this very same setup.

CLOUD-----------soekris gateway-----------LAN
(vr0)pppoe0 vr1

When i'm in the LAN, all is good.
When i'm right on the gateway, DNS works ( udp ), icmp works, but I can't get TCP to work.

Here is a snip of what's going on:

on the lan:
lerequin# uname -a
OpenBSD laptop 4.5 GENERIC#118 i386
lerequin# telnet google.ca 80
Trying 64.233.161.104...
Connected to google.ca.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
lerequin#


on the gateway:
# uname -a
OpenBSD lataupe.xxxxxxx.com 4.5 GENERIC#1749 i386
# ping google.nl
PING google.nl (216.239.59.104): 56 data bytes
64 bytes from 216.239.59.104: icmp_seq=0 ttl=244 time=159.768 ms
--- google.nl ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 159.768/159.768/159.768/0.000 ms
# telnet google.nl 80
Trying 74.125.77.104...
^C
# telnet openbsd.org 80
Trying 199.185.137.3...
^C
# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> freebsd.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: freebsd.org
Address: 69.147.83.40
> exit

#

tcp connetion hangs.

# cat /etc/hostname.vr0
up
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev vr0 authproto pap \
authname 'xxxxxx@acanac.net' authkey 'xxxxxxx' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
#


# netstat -rnfinet
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 0.0.0.1 UGS 7 1337177 - 8 pppoe0
10.1.1/24 link#2 UC 4 0 - 4 vr1
10.1.1.1 00:00:24:c9:32:69 UHLc 0 14 - 4 lo0
10.1.1.25 00:22:15:8d:93:ff UHLc 0 0 - 4 vr1
10.1.1.204 00:0b:6b:36:72:ab UHLc 2 264074 - 4 vr1
10.1.1.207 link#2 UHLc 1 440518 - 4 vr1
67.XXX.8.1 67.XXX.13.124 UH 0 0 - 4 pppoe0
127/8 127.0.0.1 UGRS 0 0 33204 8 lo0
127.0.0.1 127.0.0.1 UH 2 1899 33204 4 lo0
224/4 127.0.0.1 URS 0 0 33204 8 lo0
#

pf rulz striped down for the post:
# cat /etc/pf.conf
ext_if="pppoe0"
int_if="vr1"

table <lan_sub> { 10.1.1.0/24 }
table <fuckers> persist

#set loginterface $ext_if
set skip on lo0
set debug loud

#scrub all no-df random-id fragment reassemble reassemble tcp
scrub out log (all) on $ext_if max-mss 1440

nat log (all) on $ext_if from !($ext_if) to any -> ($ext_if)

block drop log (all) all
block drop quick log (all) inet6
block drop quick log (all) from <fuckers>

pass in quick log (all) on $int_if modulate state
pass out quick log (all) on $ext_if modulate state

pass in quick log (all) on $ext_if proto tcp from any port > 1024 to ($ext_if) port ssh flags S/SA modulate state (max-src-conn 5, max-src-conn-rate 10/5, overload <fuckers> flush global)

pass in quick log (all) inet proto icmp all icmp-type echoreq modulate state



while doing a telnet google.com 80 on the soekris:
# tcpdump -i pflog0 -X -s 1500 -e -vvv host google.com
tcpdump: listening on pflog0, link-type PFLOG
14:51:04.002160 rule 5/(match) [uid 0, pid 24578] pass out on pppoe0: dsl-67-XXX-13-124.acanac.net.56197 > yx-in-f100.google.com.www: S [tcp sum ok] 4038451558:4038451558(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 697898457 0> (DF) [tos 0x10] (ttl 64, id 51129, len 64)


14:51:04.059010 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821837804 697898457,nop,wscale 6> (ttl 51, id 27033, len 60)


14:51:04.383735 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838129 697898457,nop,wscale 6> (ttl 51, id 27034, len 60)


14:51:04.984323 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0: yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok] 3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp 1821838729 697898457,nop,wscale 6> (ttl 51, id 27035, len 60)


the synack comes back, but it doesn't reach telnet. so telnet keep sending syn until it reaches the timeout.

It looks like the packets are natted back to 0.0.0.0 instead of the pppoe0 ip address and I guess telnet is not listening 0.0.0.0.
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.37330 qy-in-f104.googl.www SYN_SENT


at this point I don't know more.
......... anyone?

Last edited by spid3r; 15th May 2009 at 07:18 PM.
Reply With Quote