[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Switching from FreeBSD to OpenBSD and have hit a wall



On Thursday, Jun 5, 2003, at 15:34 US/Pacific, Greg Rumple wrote:

I guess I should test things before hitting send. Below is what I have,
I typed in my live addresses versus test addresses, and lo and behold it
still didn't work.


Anyway, with the following it works in my test lab.

If it works with test addresses, but not with live addresses, there must be something different about the live addresses.

I'll add numbers to the rules you posted; they should match the output
of "pfctl -vvsn":

  0 binat on fxp0 from 1.2.3.231 to any -> 10.10.2.231
  1 binat on fxp0 from 1.2.3.232 to any -> 10.10.2.232
  2 binat on fxp1 from 1.2.3.231 to any -> 10.10.2.231
  3 binat on fxp1 from 1.2.3.232 to any -> 10.10.2.232
  4 binat on fxp0 from 10.10.2.231 to any -> 1.2.3.231
  5 binat on fxp0 from 10.10.2.232 to any -> 1.2.3.232
  6 binat on fxp1 from 10.10.2.231 to any -> 1.2.3.231
  7 binat on fxp1 from 10.10.2.232 to any -> 1.2.3.232

Half of them should be unnecessary, unless there's something else going
on with your network setup.  With 1.2.3/24 on fxp0, and 10.10.2/24 on
fxp1, this is what should be happening:

10.10.2.231 -> 1.2.3.232:
  -> in on fxp1
     - match #7: 10.10.2.231 -> [10.10.2.232]
     - route to fxp1
     - match #6: [1.2.3.231] -> 10.10.2.232
  <- out on fxp1

(Looks like I was wrong about reversing the addresses earlier, sorry.)

10.10.2.231 -> 192.168.247.1:
  -> in on fxp1
     - route to fxp0
     - match #4: [1.2.3.231] -> 192.168.247.1
  <- out on fxp0

So rules 0-3 should be safe to remove.  That actually means that the
remaining rules can be coalesced by removing the interface specification
entirely -- then they'll always apply to both interfaces.

One way to watch what's going on is tcpdump.  For the pass rules you're
using on fxp1, add log-all to them, then:
  tcpdump -ni fxp1
  tcpdump -eni pflog0

You should see the traffic at 4 points:
  - on fxp1, inbound before translation
  - on pflog0, inbound after dst translation
  - on pflog0, outbound after src translation
  - on fxp1, outbound

The first 3 points should at least show the translations it's doing.
If point 3 never happens, something's going wrong in routing.