|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
connection breakdown by route-to rule
Hi,
besides other useful things I have following statements in my pf.conf: table <INT> { 172.16.0.0/16, 192.168.0.0/24, 192.168.1.0/24 } pass in on vlan7 inet from {vlan7:network} to !<INT> route-to (vlan7 192.168.1.254) The rational behind it is that I had to integrate a formerly autonomous department into my LAN. The department insists on keeping their own DSL-router for all outbound traffic from that subnet for access to the internet, not the router the rest of the LAN uses, as the bandwidth of that router is infamously limited. The statements do work so far. Only: There are regular connection breakdowns during larger downloads and display of streaming content is rather jerky. The other subnets routed through the machine the filter is running on are not having issues of this kind. So I do not think, the hardware (Pentium4 Box with GBit-Interfaces) is inappropriate for the task. Connection breakdowns only occur when the traffic is routed through that common router and redirected to the department-router. There aren't any problems when traffic is routed directly through the department-router. So I suspect my 'route-to' rule being to blame. Can anybody help me here? Any hints on what to look for are appreciated. |
|
|||
You could check whether TCP window scaling is working.
Code:
# pfctl -vvss | grep -C1 wscale all tcp 129.128.5.191:54009 (129.128.5.191:63506) <- 192.168.222.20:38781 FIN_WAIT_2:FIN_WAIT_2 [2816903347 + 102808] wscale 3 [1483341881 + 17376] wscale 3 age 00:00:54, expires in 00:00:41, 239:386 pkts, 12440:575325 bytes, rule 29 Create TCP states on the initial SYN packet for an explanation. Which version of OpenBSD are you using?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
As it seems, window scaling is active:
root:2# sysctl net.inet.tcp.rfc1323 net.inet.tcp.rfc1323=1 and I see the wscale term in the output of the pfctl command. It's OpenBSD 5.0. I hope it's ok so far, I am not keen on updating this box. Thank you for the link. Much to read. May be I get another hint there. Quote:
|
|
||||
Hello, and welcome!
Quote:
Support for OpenBSD 5.0 ceased on 1 Nov 2012 when OpenBSD 5.2 was released. Since 5.0, there have been network stack improvements including, at 5.1, "Improved vlan priority support, including mapping to interface queues" and at 5.2, "Increased TCP initial window to 14600 bytes as proposed in draft-ietf-tcpm-initcwnd." While you do not desire an upgrade it is possible that your problem has been resolved by developments implemented since 18 July 2011, when new development ceased for what became 5.0-release. Even though 5.0 is no longer supported, you might consider posting about the problem on the misc@ mailing list; it is a larger audience and it is possible you will get better advice from more knowledgeable people, including developers. If you have not posted to OpenBSD project mailing lists before, please see http://www.openbsd.org/mail.html for guidance. Last edited by jggimi; 6th February 2013 at 01:25 PM. Reason: typos |
|
|||
To my understanding the filter on my default router (192.168.1.5) redirects outbound packets from the subnet 192.168.1.0 - say the host 192.168.1.10 - to the router 192.168.1.254 without touching them. It's just creating a new frame with the destination MAC-Address of 192.168.1.254 and his own MAC as source address. The new router removes the frame, then rewrites the source IP of the packets while registering the original local source address and sends it to the router of our provider. All incoming answering traffic for that host 192.168.1.10 is sent by the router 192.168.1.254 (after rewriting the destination address) directly to the local destination host 192.168.1.10 without involvement of the initial default router 192.168.1.5. So only outbound packets run through my default gateway, all incoming traffic is delivered directly. A netstat -m on my OpenBSD-router during large downloads would not provide any useful information. Or am I missing something here?
Is there a way to upgrade the router directly from 5.0 to 5.2? Quote:
|
|
|||
Quote:
set reassemble yes match on $Ext scrub (max-mss 1440) The latter doesn't have anything to do with my route-to rule as the related packets don't pass the external interface Quote:
|
|
|||
Besides not enough mbuf clusters, it also could be that pf is hitting the limit of the state tables. See http://www.packetmischief.ca/2011/02...e-table-limit/ for an example.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
There is no traffic at this time of day (we are a school). I will check that tomorrow. Thanks.
|
|
||||
Just to clarify the ease of upgrade.... here is a typical procedure.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Multi-Path or Route-To? | SlyM | OpenBSD General | 25 | 1st July 2016 04:21 PM |
Openvpn pf/nat/route-to issue | lasstoff | OpenBSD Security | 3 | 16th January 2012 12:28 PM |
How to add static route using virtual NIC | bsdplus | Solaris | 1 | 22nd August 2010 02:10 AM |
ping: sendto: No route to host | joostvgh | OpenBSD General | 2 | 29th April 2010 12:34 PM |
Working dial-up connection - No Client Connection | vigol | FreeBSD General | 5 | 22nd November 2009 10:59 PM |