[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Switching from FreeBSD to OpenBSD and have hit a wall
On Thursday, Jun 5, 2003, at 15:34 US/Pacific, Greg Rumple wrote:
I guess I should test things before hitting send. Below is what I
I typed in my live addresses versus test addresses, and lo and behold
still didn't work.
Anyway, with the following it works in my test lab.
If it works with test addresses, but not with live addresses, there must
be something different about the live addresses.
I'll add numbers to the rules you posted; they should match the output
of "pfctl -vvsn":
0 binat on fxp0 from 184.108.40.206 to any -> 10.10.2.231
1 binat on fxp0 from 220.127.116.11 to any -> 10.10.2.232
2 binat on fxp1 from 18.104.22.168 to any -> 10.10.2.231
3 binat on fxp1 from 22.214.171.124 to any -> 10.10.2.232
4 binat on fxp0 from 10.10.2.231 to any -> 126.96.36.199
5 binat on fxp0 from 10.10.2.232 to any -> 188.8.131.52
6 binat on fxp1 from 10.10.2.231 to any -> 184.108.40.206
7 binat on fxp1 from 10.10.2.232 to any -> 220.127.116.11
Half of them should be unnecessary, unless there's something else going
on with your network setup. With 1.2.3/24 on fxp0, and 10.10.2/24 on
fxp1, this is what should be happening:
10.10.2.231 -> 18.104.22.168:
-> in on fxp1
- match #7: 10.10.2.231 -> [10.10.2.232]
- route to fxp1
- match #6: [22.214.171.124] -> 10.10.2.232
<- out on fxp1
(Looks like I was wrong about reversing the addresses earlier, sorry.)
10.10.2.231 -> 192.168.247.1:
-> in on fxp1
- route to fxp0
- match #4: [126.96.36.199] -> 192.168.247.1
<- out on fxp0
So rules 0-3 should be safe to remove. That actually means that the
remaining rules can be coalesced by removing the interface specification
entirely -- then they'll always apply to both interfaces.
One way to watch what's going on is tcpdump. For the pass rules you're
using on fxp1, add log-all to them, then:
tcpdump -ni fxp1
tcpdump -eni pflog0
You should see the traffic at 4 points:
- on fxp1, inbound before translation
- on pflog0, inbound after dst translation
- on pflog0, outbound after src translation
- on fxp1, outbound
The first 3 points should at least show the translations it's doing.
If point 3 never happens, something's going wrong in routing.