Solved Routing messed up after upgrading

[balanga]

I uprgaded my server to 15.0-RELEASE today as well as running pkg upgrade and now I can't access the Internet from my LAN.

It's probably a routing problem, but I'm not sure what to check.

My server is 192.168.1.1 and I can ping that from my LAN. I can ping 8.8.8.8 from my server but not from my LAN, so obviously my NAT isn't working as it did before the upgrade. I probably need to run pfctl to check what happening, but not sure what options are needed.

 

[SirDice]

The NAT is done on your internet router, not the server. So check there. Unless this FreeBSD host is your internet router?

 

[balanga]

The NAT is done on your internet router, not the server. So check there. Unless this FreeBSD host is your internet router?

My 'server' is the LAN's gateway to the Internet and the routing is done via a USB tether.

I only just got to learn about NAT, pf etc when my dedicated router stopped working a few weeks ago.

I discovered that my phone provides much better performance than the router.

 

[SirDice]

That host has a direct connection to the internet (it's your uplink), so it will automatically go out to the internet with your external IP address.

the routing is done via a USB tether.

Does that provide a RFC1918 (private range address) to your FreeBSD server? Or do you get a 'real' internet IP address?

pf etc

Right. Is the host itself allowed to go out? Do you have something like block all in your ruleset?

One thing that can happen, if the system boots and there's no connection yet through your phone, the rules may not be loaded properly. What happens if you make sure it's online and you restart PF? service pf restart

 

[balanga]

I have pf_enable="YES" in /etc/rc.conf and the system was rebooted several times during freebsd-update, but I tried what you suggested anyway, although without any effect.

My /etc/pf.conf consists of this single line.

nat on ue0 from 192.168.1.0/24 to any -> (ue0)

This worked before the upgrade and I haven't changed it.

I'm not aware of any other configuration.

 

[SirDice]

That's a pretty basic config, I actually see very little reason why it wouldn't work. Except maybe when ue0 is not connected to the internet when PF is started (or restarted).

Doesn't have anything to do with the host itself though, like I said, it has a direct connection to the internet via that ue0 interface. The source address of the packets are already the address of ue0 so it doesn't need to do NAT in that case. Is the server itself able to connect to the internet?

As for your other hosts on the LAN, did you gateway_enable="YES" on the FreeBSD host? Is the default gateway of the other hosts on your LAN pointing to 192.168.1.1?

 

[bakul]

Check that "sysctl net.inet.ip.forwarding" returns 1 on the 192.168.1.1 server. [gateway_enable="YES" would set that]

 

[dino1]

What about 'sysctl net.pf.default_to_drop' output? PF could be configured in implicit block mode in build process.
What does 'ifconfig ue0' show? This is just for completeness, still usefull info.

 

[SirDice]

What about 'sysctl net.pf.default_to_drop' output? PF could be configured in implicit block mode in build process.

Oh, that's a good one. It's new with 15.0.

 

[dino1]

Well, no, it is older, present in 14.3, but not in 13.1.

 

[balanga]

That's a pretty basic config, I actually see very little reason why it wouldn't work. Except maybe when ue0 is not connected to the internet when PF is started (or restarted).

Doesn't have anything to do with the host itself though, like I said, it has a direct connection to the internet via that ue0 interface. The source address of the packets are already the address of ue0 so it doesn't need to do NAT in that case. Is the server itself able to connect to the internet?

As for your other hosts on the LAN, did you gateway_enable="YES" on the FreeBSD host? Is the default gateway of the other hosts on your LAN pointing to 192.168.1.1?

I just checked and it is commented out. Maybe I did changed it for some reason after I got it working and things were working ok until the reboot so that's probably the cause.

 

[dino1]

That's what you could verify with 'sysctl net.inet.ip.forwarding' as notes above by bakul - or fix with 'sysctl net.inet.ip.forwarding=1' with no need to reboot.

 

[balanga]

Check that "sysctl net.inet.ip.forwarding" returns 1 on the 192.168.1.1 server. [gateway_enable="YES" would set that]

Just checked and it returned 0 and yes that line was commented out for some reason.

I tried to run service netif restart through ssh but the operation timed out.

Is there any way to enable it via ssh iwithout rebooting?

 

[bakul]

What dino1 says above. "doas sysctl net.inet.ip.forwarding=1" (doas or sudo)

 

[balanga]

That's what you could verify with 'sysctl net.inet.ip.forwarding' as notes above by bakul - or fix with 'sysctl net.inet.ip.forwarding=1' with no need to reboot.

Many thanks for that!

I have it working again now.