|
|
|
|
|
|||||||
| Networking Network related discussions (including general TCP/IP stuff, routing, etc). |
 |
|
|
Thread Tools | Display Modes |
|
#1
August 4th, 2012, 12:14
|
|||
|
|||
Can connect in but not out from server
I have just moved my server over to a new machine. I did this as a test a few days ago and it worked great but now that I have done it for real I am experiencing the most peculiar issue.
I can connect to my server via the usual network services (SSH, IMAP etc) but while logged into the servers console I can't ping anything. Not the default gateway or anything on the internet. I know the network card name changed between the two machines (from bge0 to em0) and I have made the necessary changes in my /etc/rc.conf and /etc/pf.conf files (like I did during the test). Can someone help me troubleshoot this please. I have exhausted everything I can think of and have looked through the logs but I am obviously overlooking something. Any ideas?  My /etc/rc.conf: Code:
ifconfig_em0="inet 192.168.0.200 netmask 255.255.255.0" Code:
tcp_services = "{ 22, 25, 80, 161, 162, 443, 587, 993, 3551 }"
udp_services = "{ 161, 162 }"
#table <bruteforce> persist
#block quick from <bruteforce>
#pass inet proto tcp fom any to bge0 port 22 keep state (maxsrc-conn 100, max-src-conn-rate 15/5, \
#overload <bruteforce> flush global)
set skip on lo0
set loginterface em0
pass out quick on em0
block in all
pass in log on em0 proto tcp from any to em0 port $tcp_services
pass in proto icmp from 192.168.0.0/24 to em0
pass in log on em0 proto udp from any to em0 port 6277
pass in log on em0 proto udp from any to em0 port 3551
pass in log on em0 proto udp from 192.168.0.1 to em0 port $udp_services
Very confused!! 
|
|
#2
August 4th, 2012, 12:22
|
||||
|
||||
|
Try changing the following:
Code:
pass out log on em0 # tcpdump -n -e -ttt -i pflog0That should give you some hints.
__________________
Powered by BareBSD
|
|
#5
August 4th, 2012, 14:45
|
|||
|
|||
|
Quote:
Code:
192.168.0.10.50860 > 192.168.0.200.443: Flags [S], cksum 0xb709 (correct), seq 1520038632, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:11.093013 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 29366, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50861 > 192.168.0.200.443: Flags [S], cksum 0xc4c8 (correct), seq 119814302, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:01.408055 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 29375, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50862 > 192.168.0.200.443: Flags [S], cksum 0xe81d (correct), seq 272305201, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:04.467144 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 29389, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50863 > 192.168.0.200.443: Flags [S], cksum 0xcb70 (correct), seq 4020914541, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:33.720556 rule 5..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 29613, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50867 > 192.168.0.200.80: Flags [S], cksum 0x69de (correct), seq 1614494678, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:00.000030 rule 5..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 29614, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50866 > 192.168.0.200.80: Flags [S], cksum 0xa06f (correct), seq 1542261140, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:11:57.853249 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 32351, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50950 > 192.168.0.200.443: Flags [S], cksum 0x831d (correct), seq 2749226294, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:01.316117 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 32365, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50951 > 192.168.0.200.443: Flags [S], cksum 0x4386 (correct), seq 814845977, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
00:00:12.201579 rule 8..16777216/0(match): pass in on em0: (tos 0x0, ttl 128, id 32375, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.10.50952 > 192.168.0.200.443: Flags [S], cksum 0x7083 (correct), seq 1463303284, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
|
|
#6
August 4th, 2012, 14:47
|
|||
|
|||
|
Quote:
Code:
alpha# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGS 2 777 em0
127.0.0.1 link#10 UH 0 8983 lo0
192.168.0.0/24 link#1 U 3 9817 em0
192.168.0.200 link#1 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%em0/64 link#1 U em0
fe80::221:5aff:fe6b:3d79%em0 link#1 UHS lo0
fe80::%lo0/64 link#10 U lo0
fe80::1%lo0 link#10 UHS lo0
ff01::%em0/32 fe80::221:5aff:fe6b:3d79%em0 U em0
ff01::%lo0/32 ::1 U lo0
ff02::%em0/32 fe80::221:5aff:fe6b:3d79%em0 U em0
ff02::%lo0/32 ::1 U lo0
alpha# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:21:5a:6b:3d:79
inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::221:5aff:fe6b:3d79%em0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
In /var/run/dmesg.boot: Code:
em0: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0x1100-0x111f mem 0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff i em0: Using an MSI interrupt em0: Ethernet address: 00:21:5a:6b:3d:79
|
|
#8
August 4th, 2012, 15:54
|
||||
|
||||
|
Try this when you ping your gateway:
# tcpdump -n -e -ttt -i pflog0 host 192.168.0.200Assuming 192.168.0.1 is your gateway: # tcpdump -n -e -ttt -i pflog0 host 192.168.0.1Those 2 captures should show if the packets are leaving.
__________________
Powered by BareBSD
|
|
#9
August 4th, 2012, 16:03
|
|||
|
|||
|
Quote:
 I had 3 SSH windows open, one for each of the commands above and a third to run the ping test. It did nothing? Here is the output: Code:
alpha# tcpdump -v -n -e -ttt -i pflog0 host 192.168.0.200 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes alpha# tcpdump -v -n -e -ttt -i pflog0 host 192.168.0.1 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes Any other ideas before I pull my hair out?  I can't think of anymore log files to check!
|
|
#11
August 4th, 2012, 16:10
|
|||
|
|||
|
Quote:
Code:
alpha# service pf status
Status: Enabled for 0 days 00:12:10 Debug: Urgent
Interface Stats for em0 IPv4 IPv6
Bytes In 215163 0
Bytes Out 1090025 0
Packets In
Passed 1356 0
Blocked 46 0
Packets Out
Passed 1572 0
Blocked 0 0
State Table Total Rate
current entries 61
searches 2974 4.1/s
inserts 94 0.1/s
removals 40 0.1/s
Counters
match 156 0.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Code:
alpha# pfctl -sr pass out log on em0 all flags S/SA keep state pass out quick on em0 all flags S/SA keep state block drop in all pass in log on em0 inet proto tcp from any to 192.168.0.200 port = ssh flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = smtp flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = http flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = snmp flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = snmptrap flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = https flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = submission flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = imaps flags S/SA keep state pass in log on em0 inet proto tcp from any to 192.168.0.200 port = 3551 flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = ssh flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = smtp flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = http flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = snmp flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = snmptrap flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = https flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = submission flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = imaps flags S/SA keep state pass in log on em0 inet6 proto tcp from any to fe80::221:5aff:fe6b:3d79 port = 3551 flags S/SA keep state pass in inet proto icmp from 192.168.0.0/24 to 192.168.0.200 keep state pass in log on em0 inet proto udp from 192.168.0.1 to 192.168.0.200 port = snmp keep state pass in log on em0 inet proto udp from 192.168.0.1 to 192.168.0.200 port = snmptrap keep state pass in log on em0 inet proto udp from any to 192.168.0.200 port = 6277 keep state pass in log on em0 inet proto udp from any to 192.168.0.200 port = 3551 keep state pass in log on em0 inet6 proto udp from any to fe80::221:5aff:fe6b:3d79 port = 6277 keep state pass in log on em0 inet6 proto udp from any to fe80::221:5aff:fe6b:3d79 port = 3551 keep state
|
|
#12
August 4th, 2012, 16:54
|
|||
|
|||
|
I don't see anything really wrong in your rules. I would rearrange them so that there are default deny rules first. Also I would add quick to all pass rules, now the evaluation of packets continues to the last pass rule on every packet.
Code:
block in all block out all pass out quick on em0 pass in quick in em0 proto icmp from em0:network to em0 pass in log quick on em0 proto tcp from any to em0 port $tcp_services ...
|
|
#13
August 4th, 2012, 16:58
|
|||
|
|||
|
Could it be an issue with the network card? Drivers? I experience this issue even if I stop the pf service.
One thing I did before noticing this issue was trying to rename the network card name as follows: Code:
ifconfig_em0_name=”nic0″ ifconfig_nic0=”inet 192.168.0.200 netmask 255.255.255.0″
|
|
#14
August 4th, 2012, 17:03
|
|||
|
|||
|
Try any of the following (not all at once though) if they make a difference:
# ifconfig em0 -tso# ifconfig em0 -tso4# ifconfig em0 -rxcsum# ifconfig em0 -txcsum
|
|
#16
August 4th, 2012, 17:09
|
|||
|
|||
|
I see that your NIC is capable of gigabit speed but it's configured only at 100baseTX, bad cable or is your switch only a 100mbit one?
|
|
#17
August 4th, 2012, 17:10
|
|||
|
|||
|
I use Ethernet over power plugs (by Devolo). I think they have a 100mb port on them...not gigabit. Been running my server off this plug for 3 years now with no issues.
PS: I just tried another Devolo plug but with no joy.
|
|
#18
August 4th, 2012, 17:29
|
|||
|
|||
|
Thanks to everyone for their help but I have rolled back to the original server. I am totally confused by this issue. The original server booted up fine and could ping the router straight away. Here is my network card output if anyones curious:
Code:
alpha# ifconfig
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
ether 00:11:85:e5:d6:25
inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:85ff:fee5:d625%bge0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
|
|
#19
August 4th, 2012, 17:38
|
|||
|
|||
|
Heres another one to make you scratch your head and wonder! I connected up the problematic server somewhere else and changed the IP to 192.168.0.210 and I could ping the router (192.168.0.1) straight away!! What?!
|
|
#22
August 4th, 2012, 18:33
|
|||
|
|||
|
It might not be a static arp problem but just an arp cache problem. If you switch the new server back to .200 and reboot the router and it starts to work then it's definitely a problem with a cached arp entry for address .200 that makes the router refuse connections from the new mac address until the cached arp entry expires.
|
|
#23
August 4th, 2012, 19:43
|
|||
|
|||
|
Quote:
|
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| how to connect remote server's com port ? | maslakyavuz | Peripheral Hardware | 4 | December 6th, 2011 20:26 |
| EKG2 doesn't connect to gg server | hubolek | Web & Network Services | 4 | March 15th, 2011 23:48 |
| connect to server with l2tp | mfaridi | Web & Network Services | 6 | January 13th, 2011 09:55 |
| unable to connect to X server | spoon | X.Org | 2 | August 8th, 2009 09:29 |
| Connect to SQL SERVER in Windows | laertejunior | Web & Network Services | 5 | April 12th, 2009 08:14 |
Linear Mode
