LAN web traffic broken

cbrace

cbrace

Hi all,

I hate to bother the busy people in this forum with what may well be a trivial problem, but here goes:

I have a FreeBSD server which has worked fine for several years as a small office ADSL gateway/server/wifi point. Just now, I upgraded it to v8.1 release. I also brought userland completely up-to-date.

Everything seems to be OK... except the web traffic isn't working for LAN clients. DNS works. Clients and server can ping each other. All the familiar settings seem right in rc.conf, such as gateway_enable="YES". I have PF enabled, and traffic is open on the LAN network interfaces.

It is late in the day, and I am tired and have run out of ideas. I feel it must be something glaringly obvious. But what?

Any ideas?

Thanks,
-Colin
 
cbrace said:
I feel it must be something glaringly obvious. But what?
Click to expand...
Is the webserver running?

Or am I misunderstanding something? Did you mean none of the clients can access the web?
 
The webserver is running, and that is fine, no problem.

The problem is that the LAN clients can't connect with anything outside the LAN. That is to say, internally things are working OK.

Something must be out of whack on the server, since I can't open the web interface of the ADSL modem, which suggests some kind of routing problem on the server, which serves as a router.
 
Ethernet interfaces might be numbered differently under FreeBSD 8 than whatever version you were using before.

First guess is tied between firewall and NAT. Can protocols other than HTTP get out?
 
What kind of IP address do you get on your 'external' interface?
The one that goes to the DSL modem/router?

If you can please post the output of
[cmd=]ifconfig -a[/cmd]
and
[cmd=]netstat -rn[/cmd]

The answer is usually there :e
 
FYI network interface fxp0 connects to the ADSL modem. rl0 is the LAN interface.

Code: 
$ ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9<RXCSUM,VLAN_MTU>
	ether 00:02:55:eb:6e:65
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
	ether 00:19:e0:8d:d5:1d
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
	status: running
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:e0:4c:43:c0:9a
	inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:19:e0:8d:d5:1d
	inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
	status: running
	ssid venus channel 2 (2417 MHz 11g) bssid 00:19:e0:8d:d5:1d
	regdomain 32924 country CN indoor ecm authmode OPEN privacy OFF
	txpower 20 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200

Code: 
$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.254      UGS        28    69517   fxp0
127.0.0.1          link#5             UH          0     7292    lo0
192.168.1.0/24     link#1             U           0       19   fxp0
192.168.1.1        link#1             UHS         0        0    lo0
192.168.2.0/24     link#3             U           2     9928    rl0
192.168.2.1        link#3             UHS         0        0    lo0
192.168.3.0/24     link#6             U           0        1  wlan0
192.168.3.1        link#6             UHS         0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UH          lo0
fe80::%lo0/64                     link#5                        U           lo0
fe80::1%lo0                       link#5                        UHS         lo0
ff01:5::/32                       fe80::1%lo0                   U           lo0
ff02::%lo0/32                     fe80::1%lo0                   U           lo0
Anything catch your eye?

TIA
 
cbrace said:
Anything catch your eye?
Click to expand...
No, this all looks good. I do see why you cannot access your modem though. To fix that you will need to add a static route on the modem to 192.168.2.0/24. The modem only knows about 192.168.1.0/24 because that's directly connected. Anything else is send to the default gateway, which is probably your ISP.
 
the FreeBSD gateway can access the net without a problem. It is my clients which can't.

Here is my pf.conf. There are some entries for ALTQ but I don't prioritization activated at the moment.
Code: 
# # # # # # # # macros # # # # # # # #

ext_if = "fxp0"
int_if = "rl0"
wifi = "wlan0"
tcp_services = "{ smtp ftp domain www imaps https 2200 4661 4662 52550 53572 }"
udp_services = "{ 4661 4662 52550 53572 }"
wifi_services = "{ smtp ftp domain bootps www imaps https 3689 4711 6909 }" 
icmp_types = "echoreq"
venus = "127.0.0.1"
ariel = "192.168.2.2"
localnet = "192.168.2.0/24"

venus_tcp = "{ domain smtp www irc }"
ext_ssh = "2200"
int_ssh = "22"
amule_tcp = "{ 44662 44711 }"
amule_udp = "{ 44665 44672 }"
skype = "23399"
azureus = "52555"

# # # # OPTIONS # # # #

# The following two options will set the default response for block filter rules and 
# turn statistics logging "on" for the external interface:

set block-policy return
set loginterface $ext_if

# Every Unix system has a "loopback" interface. It's a virtual network interface that 
# is used by applications to talk to each other inside the system. On OpenBSD, the 
# loopback interface is lo(4). It is considered best practice to disable all filtering on loopback interfaces. 
# Using set skip will accomplish this.

set skip on lo0

# # # # # NORMALIZATION # # # # # #
# There is no reason not to use the recommended scrubbing of all incoming traffic, so 
# this is a simple one-liner:

scrub in

# # # # # PRIORITIZATION # # # # # #

altq on $ext_if priq bandwidth 1044Kb queue { standard_out, priority_out, tcp_ack_out }
queue standard_out  priority 1 priq(default)
queue priority_out  priority 5 priq(red)
queue tcp_ack_out   priority 7

# # # # NAT # # # #
# To perform NAT for the entire internal network the following nat rule is used:

nat on $ext_if from !($ext_if) to any -> ($ext_if)

#for ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor  "ftp-proxy/*"

# spamdb
table <spamd> persist
table <spamd-white> persist

# # # # REDIRECTS # # # #

rdr pass on $ext_if proto tcp from <spamd>        to { $ext_if, $localnet } port smtp  -> 127.0.0.1 port 8025
rdr pass on $ext_if proto tcp from !<spamd-white> to { $ext_if, $localnet } port smtp  -> 127.0.0.1 port 8025

#rdr pass on $ext_if proto tcp from any to any port $ext_ssh -> $venus port ssh
rdr pass on $ext_if proto tcp from any to any port $amule_tcp -> $ariel
rdr pass on $ext_if proto udp from any to any port $amule_udp -> $ariel
rdr pass on $ext_if proto tcp from any to any port $skype -> $ariel
rdr pass on $ext_if proto  { tcp, udp } from any to any port $azureus -> $ariel 
#rdr pass on $ext_if protofrom any to any port $sense -> $ariel port 80

# ftp
rdr pass on $int_if proto tcp from any to any port ftp -> $venus port 8021

# # # # NAT # # # #
# To perform NAT for the entire internal network the following nat rule is used:
nat on $ext_if from !($ext_if) to any -> ($ext_if)

# # # # FILTER RULES # # # #
block in log	
pass quick on lo0 all

# ICMP traffic needs to be passed for ping etc:
# pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $ext_if proto icmp all keep state
pass in quick proto icmp6 all

# spamdb tables

#pass log (to pflog1) proto tcp from any to $venus synproxy state
pass log (to pflog1) proto tcp from $venus to any port smtp synproxy state

#pass in on $ext_if proto tcp from any to $ext_if flags S/SA keep state           
pass in quick on $int_if from $localnet to any keep state

table <droplasso> persist file "/etc/pf.drop.lasso.conf"
 
#Block DROP LASSO
#block log (all) all
# pfctl -t droplasso -T show
block drop in log (all)  quick on $ext_if from <droplasso> to any
block drop out log (all) quick on $ext_if from any to <droplasso>

#old pass out 
pass out keep state

#new pass out with priq
#pass out quick on $ext_if inet proto tcp from any to any port { domain smtp $skype irc http https imaps 2200 } flags S/SA keep state queue(priority_out, tcp_ack_out)
#pass out quick on $ext_if proto { tcp, udp, icmp } all keep state

pass in on $wifi   inet proto tcp from any to any port $wifi_services
pass in on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to any port $amule_tcp flags S/SA keep state
pass in on $ext_if inet proto udp from any to any port $amule_udp
pass in on $ext_if inet proto tcp from any to any port $skype flags S/SA keep state
Does anything catch your eye?
Thanks.
 
Hi all,

This afternoon I rewrote pf.conf, and that fixed the problem, although I don't know precisely which line was the offender. Perhaps the queue statements which I wasn't using.

Speaking of PF are you all aware that a 2nd edition of Peter Hansteen's invaluable Book of PF is due shortly? I thought the first edition was very helpful in learning PF (although obviously I am still no expert).
 
You must log in or register to reply here.
Back
Top