Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Sep 2006 15:11:36 -0400 (EDT)
From:      "Jeff Palmer" <questions@totaldiver.net>
To:        questions@freebsd.org
Subject:   Squid +pf +if_bridge
Message-ID:  <50558.69.45.95.126.1158261096.squirrel@mail.totaldiver.net>
next in thread | raw e-mail | index | archive | help 
Hello all,

I'm using freebsd 6.1 as a bridge (if_bridge)
The interfaces are vr0 (plugged into the DSL modem)
and rl0 (plugged into the switch, to the rest of the network

On the bridge,  I'm attempting to use pf to "rdr" all http requests from
my lan,   to squid (actually dansguardian)

I have squid configured correctly..  and it was working fine.
I *had* pf working correctly,  and redirecting the requests.

Last night,  I re-IP'd my network.  it used to be 192.168.1.*   now it's
10.23.230.*  (this was done for different reasons)

I made the appropriate changes in pf.conf,  and rc.conf to set the new IP
on the bridge.

Problem:
all attempts to browse the web, simply time out.   tcpdump shows:
000874 rule 6/0(match): pass in on vr0: 10.23.230.254 > 10.23.230.5: ICMP
net 10.23.230.26 unreachable, length 36
000005 rule 6/0(match): pass in on bridge0: 10.23.230.254 > 10.23.230.5:
ICMP net 10.23.230.26 unreachable, length 36
000022 rule 7/0(match): pass out on rl0: 64.233.179.99 > 10.23.230.5: ICMP
net 64.233.179.99 unreachable, length 36

However,  this only occurs with the redirect.   if I insert the proxy
IP/port in my web browser,  it works fine.

Diagnostics:
10.23.230.254 is DSL modem
10.23.230.26 is the bridge/squid box
10.23.230.5 is the workstation trying to browse the net.

from th bridge,  I can ping all internal IP's,  and external (internet)
IP's with no problem.   From the DSL modem,  I can ping all machines on
the internet,  and also all machines behind the bridge.
from the workstation,  I can ping the bridge, the DSL modem,  and all
internet hosts..
I see no apparent reason that the tcpdump output shows ICMP unreachable
between *.254  and *.5


Has anyone run into this before?  if so,  any idea how to resolve it?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50558.69.45.95.126.1158261096.squirrel>