Date: Sun, 17 May 2009 21:50:52 +0200 From: Kevin Smith <repcsike@gmail.com> To: freebsd-pf@freebsd.org Subject: PF Nat Problem after PPP reconnection Message-ID: <c4b701070905171250t60ee1a0ci9f8de8c3da83586d@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have a weird problem I couldn't solve. I have it from 7.0, after ppp
reconnects to the ISP weird stuff happening, packets don't come back, the
connection to the ISP gets very slow, http requests got timed out or load
but items missing or the connection gets reset, but only for the computers
behind NAT. I'm using PF for filtering and for natting too. I have a dynamic
IP address from my ISP, but it's not forcing the reconnection every 24 hours
(happening once or twice a week).
I tried the following things:
tweak mtu from 1492 to 1452. no use.
reload the whole pf config with pfctl -F all -f /etc/pf.conf - no use
look at netstat -m and -rn all looks alright- memory is ok, routing looks
ok, and i can initiate connections from the box.
tun0 interface looks alright ip address is ok, and gw is ok too.
only rebooting the computer solves the problem after this!
I tried pfctl -F nat and I set up ipnat, and now NAT is working alright.
Here are the data and configs:
uname -a
FreeBSD homeserver.workgroup.local 7.1-RELEASE-p4 FreeBSD 7.1-RELEASE-p4 #1:
Wed Apr 15 19:03:33 CEST 2009
repcsi@homeserver.workgroup.local:/usr/obj/usr/src/sys/REPCSI
i386
The kernel (/usr/src/sys/i386/conf/REPCSI)was built from the 7.1 GENERIC
with these addons:
#PF
device<><------>pf<----><------><------>#PF OpenBSD packet-filter firewall
device<><------>pflog<-><------><------>#logging support interface for PF
device<><------>pfsync<><------><------>#synchronization interface for PF
device<><------>carp<--><------><------>#Common Address Redundancy Protocol
#ALTQ
options <------>ALTQ
options <------>ALTQ_CBQ<------># Class Based Queueing
options <------>ALTQ_RED<------># Random Early Detection
options <------>ALTQ_RIO<------># RED In/Out
options <------>ALTQ_HFSC<-----># Hierarchical Packet Scheduler
options <------>ALTQ_CDNR<-----># Traffic conditioner
options <------>ALTQ_PRIQ<-----># Priority Queueing
options <------>ALTQ_NOPCC<----># Required for SMP build
/etc/rc.conf relevant sections:
ifconfig_nfe0="inet 172.20.0.1 netmask 255.255.255.0"
ifconfig_fxp0="MTU 1492 UP"
ifconfig_tun0="DHCP"
gateway_enable="YES"
ppp_enable="YES"
ppp_profile="dsl"
ppp_mode="ddial"
ppp_nat="NO"
ppp_user="root"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
/etc/ppp/ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
# set log Phase tun command
ident user-ppp VERSION (built COMPILATIONDATE)
set timeout 0
set reconnect 5 999
set device /dev/cuad1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 180<------><------><------># 3 minute idle timer (the default)
enable dns<---><------><------><------># request DNS info (for
resolv.conf)
papchap:
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR<--><------><------># Add a (sticky) default route
dsl:
set device PPPoE:fxp0
set mtu max 1452
set authname USERNAME
set authkey PASSWORD
set dial
set login
set ifaddr 10.0.0.1/0 10.0.0.2/0
add default HISADDR
nat enable no
set cd off
set crtscts off
set redial 0 0
enable lqr echo
enable lcp
enable dns
/etc/ppp/ppp.linkup
dsl:
!bg sh -c "/sbin/pfctl -F all -f /etc/pf.conf"
/etc/ppp/ppp.linkdown < had to set this up for testing because ppp restart
couldn't destroy the tun0 interface and ppp used tun1 after that ;\ however
at reconnect it destroys it, and tells me this command is invalid.:
dsl:
!bg ifconfig tun0 destroy
/etc/pf.conf - i just added log for debugging but without log the behaviour
was the same
ext_if = "tun0"
int_if = "nfe0"
ext_ad = "(tun0)"
prv_ads = "172.20.0.0/24"
nat_p = "{tcp, udp, icmp}"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ntp, 43
}"
udp_services = "{ domain, ntp }"
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, https,
446,
icmp_types = "{ echoreq, unreach }"
table <robot> persist
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port
scrub in all
altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
block in log all
pass out log on $ext_if proto tcp from any to any queue (q_def, q_pri)
pass in log on $ext_if proto tcp from any to any queue (q_def, q_pri)
block return log
pass out log keep state
anchor "ftp-proxy/*"
set skip on { lo0, $int_if }
block in log quick from urpf-failed
antispoof log for $ext_if
block drop in log (all) quick on $ext_if from { $martians, <robot> } to any
block drop out log (all) quick on $ext_if from any to $martians
pass out log on $ext_if proto tcp to any port $tcp_services
pass out log on $ext_if proto udp to any port $udp_services
pass out log on $ext_if inet proto udp from any to any port 33433 >< 33626
keep state
pass log inet proto icmp all icmp-type $icmp_types keep state
pass log inet proto tcp from any to $ext_if port ssh keep state
(max-src-conn 5, max-src-conn-rate 3/5 overload <robot> flush global)
Thanks for every reply :)
Best Regards,
Repcsi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c4b701070905171250t60ee1a0ci9f8de8c3da83586d>