Let us really debug this thing ?
- Enable sshd on the OBSD router. Tell it to listen on the internal interface only (/etc/ssh/sshd_config)
- Disable those multipath routing sysctls.
- Load the minimalistic pf.conf I suggested without any messing around with timeout values. I was assuming you used pppoe, if not modify.
Flush all existing pf rules and settings with 'pfctl' Add ssh to the allowed TCP services to pass in.
- From your OBSD box in the wired network open up 4 xterms to ssh in to your OBSD firewall.
In all xterms, use ssh to log in in to your router and 'su - root' because
you will be wiretapping all interfaces on your OpenBSD router.
- # tcpdump -eni $EXT
- # tcpdump -eni $INT 'not port ssh'
- # tcpdump -eni $WLAN
- # tcpdump -eni pflog0
From this same box in yet another xterm do dig www.google.com
You should see the DNS request arrive on you $INTand leave on $EXT and
the answer entering on $EXT, and leaving on $INT to arrive on your box
Now make a connection on the wireles client and repeat the dig www.google.com.
If it is a windows wireless client which doesn't have 'dig' use 'nslookup'
Alternatively, you also could use 'ping' but then you first have to allow ICMP trafficin the pf.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|