Why internet doesn't work?

Hot2017 · Jan 25, 2017

I wrote script to permit traffic from LAN with 1 MAC 00:1c:c0:f1:cb:c8 to WAN (INTERNET)

Code:

#!/bin/sh -

fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} table all flush
${fwcmd} nat 1 delete

# NETWORK CONNECTIONS
if_inet="igb0"
if_lan="igb1"

# Local
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny all from 127.0.0.0/8 to any



# NAT
${fwcmd} nat 1 config if ${if_inet} same_ports reset log
${fwcmd} add nat 1 ip from "table(0)" to any out via ${if_inet}
${fwcmd} add nat 1 ip from any to any in via ${if_inet}

# TABLE (0):
${fwcmd} add allow ip from any to any
${fwcmd} table 0 add 10.44.1.1 etc

# MAC addresses to alow
# These only take effect if sysctl net.link.ether.ipfw=1
GOOD_MACS_F=" { MAC any 00:1c:c0:f1:cb:c8 }"
GOOD_MACS_T=" { MAC 00:1c:c0:f1:cb:c8 any }"

# Allow the ARP traffic from everyone
${fwcmd} add 4 allow ip from any to any layer2 mac-type arp

# Allow traffic from specific MAC addresses
${fwcmd} add 5 allow ip from any to any $GOOD_MACS_F in recv $if_lan

# Allow traffic to specific MAC addresses
${fwcmd} add 6 allow ip from any to any $GOOD_MACS_T out xmit $if_lan

# Allow all IP-level traffic
${fwcmd} add 7 allow ip from any to any via $if_lan

# Deny all MAC-level traffic
${fwcmd} add 8 deny ip from any to any MAC any  via $if_lan

Ping goes to any site from ip with this MAC ( with many losts packets) but site doesn't open (i guess because of these losts packets- too big timeout)
. If we remove from script all lines relating to MAC and restart ipfw ,internet works for ip from Table (0) , if sysctl net.link.ether.ipfw=0. In this case there isn't lost packets

Hot2017 · Jan 30, 2017

When "Table 0 has many lines (300) there are too many lost packet. When he has only 1 line, there isn't lost packets but internet neveless doesn't work

Code:

ipfw -at show
00004  1161   51570 Mon Jan 30 08:28:59 2017 allow ip from any to any layer2 mac-type 0x0806
00005   791  148912 Mon Jan 30 08:29:00 2017 allow ip from any to any MAC any 00:1c:c0:f1:cb:c8 in recv igb1
00006   400   56502 Mon Jan 30 08:29:00 2017 allow ip from any to any MAC 00:1c:c0:f1:cb:c8 any out xmit igb1
00007 14703 2307557 Mon Jan 30 08:29:00 2017 allow ip from any to any via igb1
00100     0       0                         allow ip from any to any via lo0
00200     0       0                         deny ip from any to 127.0.0.0/8
00300     0       0                         deny ip from 127.0.0.0/8 to any
00400   982  256760 Mon Jan 30 08:28:59 2017 nat 1 ip from table(0) to any out via igb0
00500  1920  316385 Mon Jan 30 08:29:00 2017 nat 1 ip from any to any in via igb0
00600 14455 2237783 Mon Jan 30 08:29:00 2017 allow ip from any to any
65535      0         0                         deny ip from any to any

Site begin to work right after using command

Code:

sysctl net.link.ether.ipfw=0

Hot2017 · Feb 2, 2017

When
sysctl net.link.ether.ipfw=0 and lines with MAC are omitted site can be opened and" ipfw -at list" seen like this

Code:

00100         0            0                         allow ip from any to any via lo0
00200         0            0                         deny ip from any to 127.0.0.0/8
00300         0            0                         deny ip from 127.0.0.0/8 to any
00400 118664684  69641028980 Thu Feb  2 13:20:24 2017 nat 1 ip from table(0) to any out via igb0
00500 141367446 145224602978 Thu Feb  2 13:20:24 2017 nat 1 ip from any to any in via igb0
00600 523795495 432943983109 Thu Feb  2 13:20:24 2017 allow ip from any to any
65535         0            0                         deny ip from any to any

Hot2017 · Feb 6, 2017

If this method does not provide access to internet from this MAC (table of MACs) , that may be there are some other methods?

Hot2017 · Feb 8, 2017

I guess layer2 make this timeout, which does not allow work the site . Than IPFW is unusable for filtering MAC addresses correctly. I have to put an intermediate computer with Debian 8.7 with iptables which easily solves this problem

Hot2017 · Feb 9, 2017

I am using local unbound as a dns server. Maybe he can not handle layer2?
This situation usually occurs when the dns server is not running or work incorrectly:site is pinging by his IP , but his URL does not work in browser (timeout)

Hot2017 · Feb 10, 2017

Thats right, if layer2 is on , local unbound does not work . Wnen use dns-server = 8.8.8.8
everything is working

Hot2017 · Feb 14, 2017

My final verdict. It's not unbound. It's sysctl net.link.ether.ipfw=1. In this case the script work with too many lost packets and the site does not open in browser
When sysctl net.link.ether.ipfw=1

Code:

ping mail.ru
PING mail.ru (217.69.139.200) 56(84) bytes of data.
64 bytes from cp.mail.ru (217.69.139.200): icmp_seq=1 ttl=56 time=21.9 ms
^C
--- mail.ru ping statistics ---
7 packets transmitted, 1 received, 85% packet loss, time 6000ms
rtt min/avg/max/mdev = 21.936/21.936/21.936/0.000 ms

When sysctl net.link.ether.ipfw=0

Code:

ping mail.ru
PING mail.ru (217.69.139.200) 56(84) bytes of data.
64 bytes from cp.mail.ru (217.69.139.200): icmp_seq=1 ttl=56 time=19.2 ms
64 bytes from cp.mail.ru (217.69.139.200): icmp_seq=2 ttl=56 time=19.3 ms
64 bytes from cp.mail.ru (217.69.139.200): icmp_seq=3 ttl=56 time=19.4 ms
64 bytes from cp.mail.ru (217.69.139.200): icmp_seq=4 ttl=56 time=19.2 ms
^C
--- mail.ru ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 19.240/19.316/19.427/0.156 ms

Hot2017 · Feb 28, 2017

May be ipfw is not adapted to create one white-list of mac(s). It's sad. When packets will go through the ruleset twice ,there are many lost packets and too big delay