weird routing problem
Andy Greenwood
greenwood.andy at gmail.com
Wed Feb 14 16:16:57 UTC 2007
My network looks like this:
+----------+ +------+ +---------+ +----------+
| Internet | <-> | Tiny | <-> | linksys | <-> | Behemoth |
+----------+ +------+ +---------+ +----------+
\
(WiFi)
\
+---------+
| various |
+---------+
Tiny is my firewall, and it forwards all ssh and http traffic to
Behemoth. I also forward port 3389 to one of the clients on the
wireless network. I can get into the remote desktop on my machine
running XP and ssh to behemoth from there, but can't from the outside.
Once I am logged into Behemoth, I can't ping anything on the outside.
If I try to ping my default gateway, 192.168.2.1, I get "Ping: Sendto:
Host is down" If I try to ping anything else, I get "Ping: Sendto: No
route to host"
[andy at behemoth ~]$ ifconfig
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.2.10 netmask 0xffffff00 broadcast 192.168.2.255
ether 00:0c:41:e2:ae:75
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
pflog0: flags=0<> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
[andy at behemoth ~]$ netstat -rn
Routing tables
Ineternet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.2.1 UGS 0 447 dc0
127.0.0.1 127.0.0.1 UH 0 604 lo0
192.168.2 link#1 UC 0 0 dc0
192.168.2.1 link#1 UHLW 2 2 dc0
192.168.2.10 00:0c:41:e2:ae:75 UHLW 1 10 lo0
168.168.2.100 00:12:17:6a:32:7e UHLW 1 2239 dc0 623
[andy at behemoth ~]$ ping google.com
ping: cannot resolve google.com: Host name lookup failure
[andy at behemoth ~]$ ping 64.233.167.99
PING 64.233.167.99 (64.233.167.99): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
^C
--- 64.233.167.99 ping statistics ---
2 packets transmitted, 0 packets recieved, 100% packet loss
The weird thing is that I'm logged into this box over ssh. I shouldn't
be able to connect to the box if there's something wrong with the
routing, correct?
I have already tried setting the mtu to 1400 with no result and
rebooting, also with no result, but I'm really not sure where to go
from here. Any help on this would be much appreciated. I've attached
my pf.conf, but it hasn't changed in a few weeks and this just started
happening a couple days ago. It coincided with me adding my new Wii to
the wireless network, but I can't see how that could've messed up the
routing on Behemoth.
--
--
I'm nerdy in the extreme and whiter than sour cream
-------------- next part --------------
# Macro definitions
ext_if = "dc0" # replace with actual external interface name i.e., dc0
int_if = "dc1" # replace with actual internal interface name i.e., dc1
local_net = "192.168.0.0/16" # IP addresses used internally
table <bruteforce> persist file "/var/db/ssh-bruteforce" # Table of IP addresses blocked by bruteforce
set skip on lo0
scrub all # Scrub Everything
altq on $ext_if bandwidth 250Kb priq queue { tcp_ack, dns, ssh_fast, lan, http, ssh_bulk, torrent } # outgoing queues for prioritzation
queue tcp_ack priority 7 priq # Queue for Tcp ack packets - low volume, high speed
queue dns priority 6 priq # queue for dns queries and responses
queue ssh_fast priority 4 priq # interactive ssh traffic
queue lan priority 3 priq(default) # queue for lan clients
queue http priority 2 priq # queue for http traffic
queue ssh_bulk priority 1 priq # Queue for bulk (sftp, scp) ssh traffic
queue torrent priority 0 qlimit 100 # The torrent queue
nat on $ext_if from $local_net -> ($ext_if) # nat localnet's packets to the firewall's external interface
rdr on $ext_if proto tcp from any to any port { 22, 80 } -> 192.168.2.10
rdr on $int_if proto tcp from $local_net to ($int_if) port 22 -> 192.168.1.1
rdr on $int_if proto tcp from any to ($ext_if) port { 80, 3150, 49160:49300 } -> 192.168.2.10
rdr on $ext_if proto tcp from any to any port { 32459, 4662 } -> 192.168.2.100
rdr on $ext_if proto udp from any to any port 4672 -> 192.168.2.100
rdr on $ext_if proto { tcp, udp } from any to any port 3389 -> 192.168.2.100
block log all # Default block rule
block in log quick proto tcp from <bruteforce> to any port { 22, 80 }
# Antispoof rules
antispoof for $ext_if
# General Rules
pass in log quick on $ext_if inet proto tcp from any to any port 22 \
flags S/SA keep state queue (ssh_bulk, ssh_fast) # pass in ssh logins
pass in log quick on $ext_if inet proto tcp from any to any port { 80, 3150 } \
flags S/SA keep state queue http # pass in http traffic
pass log inet proto { tcp, udp } from any to 192.168.2.100 port 3389 flags S/SA keep state queue ssh_fast # RDP
pass log inet proto tcp from any port 3150 to 192.168.2.10 keep state # fluxd-inet
pass log inet proto tcp from any to ($ext_if) port 3128 keep state # external clients using the proxy
# Pass anything from the localnet out
pass in log on $int_if from any to any keep state
# torrent stuff
pass log inet proto { tcp, udp } from any to any port { 4662, 4672, 32459 } keep state queue torrent #utorrent
pass log proto { tcp, udp } from any to 192.168.2.10 port 49160:49300 keep state queue torrent #TF
pass log proto { tcp, udp } from 192.168.2.10 port 49160:49300 to any keep state queue torrent #TF
# Pass traffic origniating from the firewall out
pass out log on $ext_if from ($ext_if) to any keep state
pass out log on $int_if from any to $local_net keep state
# TCP ACK packets
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue (lan, tcp_ack)
# DNS queries that get passed out. Note that we run named in a caching manner.
pass out on $ext_if inet proto { tcp, udp } from ($ext_if) to any port domain keep state #queue dns
pass in on $int_if inet proto { tcp, udp } from $local_net to ($int_if) port domain keep state
# End of Ruleset
More information about the freebsd-questions
mailing list