From owner-freebsd-questions@FreeBSD.ORG Thu Sep 14 19:11:37 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4515216A415 for ; Thu, 14 Sep 2006 19:11:37 +0000 (UTC) (envelope-from questions@totaldiver.net) Received: from mail.totaldiver.net (fl-209-26-20-205.sta.embarqhsd.net [209.26.20.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3302443D6E for ; Thu, 14 Sep 2006 19:11:29 +0000 (GMT) (envelope-from questions@totaldiver.net) Received: from localhost (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id 27A39C6EA for ; Thu, 14 Sep 2006 15:11:42 -0400 (EDT) Received: from mail.totaldiver.net ([127.0.0.1]) by localhost (mail.totaldiver.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51104-05 for ; Thu, 14 Sep 2006 15:11:36 -0400 (EDT) Received: from mail.totaldiver.net (localhost.totaldiver.net [127.0.0.1]) by mail.totaldiver.net (Postfix) with ESMTP id 7CFA9C678 for ; Thu, 14 Sep 2006 15:11:36 -0400 (EDT) Received: from 69.45.95.126 (proxying for 127.0.0.1) (SquirrelMail authenticated user questions@totaldiver.net) by mail.totaldiver.net with HTTP; Thu, 14 Sep 2006 15:11:36 -0400 (EDT) Message-ID: <50558.69.45.95.126.1158261096.squirrel@mail.totaldiver.net> Date: Thu, 14 Sep 2006 15:11:36 -0400 (EDT) From: "Jeff Palmer" To: questions@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: Maia Mailguard Cc: Subject: Squid +pf +if_bridge X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 19:11:37 -0000 Hello all, I'm using freebsd 6.1 as a bridge (if_bridge) The interfaces are vr0 (plugged into the DSL modem) and rl0 (plugged into the switch, to the rest of the network On the bridge, I'm attempting to use pf to "rdr" all http requests from my lan, to squid (actually dansguardian) I have squid configured correctly.. and it was working fine. I *had* pf working correctly, and redirecting the requests. Last night, I re-IP'd my network. it used to be 192.168.1.* now it's 10.23.230.* (this was done for different reasons) I made the appropriate changes in pf.conf, and rc.conf to set the new IP on the bridge. Problem: all attempts to browse the web, simply time out. tcpdump shows: 000874 rule 6/0(match): pass in on vr0: 10.23.230.254 > 10.23.230.5: ICMP net 10.23.230.26 unreachable, length 36 000005 rule 6/0(match): pass in on bridge0: 10.23.230.254 > 10.23.230.5: ICMP net 10.23.230.26 unreachable, length 36 000022 rule 7/0(match): pass out on rl0: 64.233.179.99 > 10.23.230.5: ICMP net 64.233.179.99 unreachable, length 36 However, this only occurs with the redirect. if I insert the proxy IP/port in my web browser, it works fine. Diagnostics: 10.23.230.254 is DSL modem 10.23.230.26 is the bridge/squid box 10.23.230.5 is the workstation trying to browse the net. from th bridge, I can ping all internal IP's, and external (internet) IP's with no problem. From the DSL modem, I can ping all machines on the internet, and also all machines behind the bridge. from the workstation, I can ping the bridge, the DSL modem, and all internet hosts.. I see no apparent reason that the tcpdump output shows ICMP unreachable between *.254 and *.5 Has anyone run into this before? if so, any idea how to resolve it?