-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello
I am running FBSD on two firewalls in a scenario like below internet | FW2 | DMZ | FW1 | internal LAN FW1 is running ipf and fw2 is running ipf and ipnat hosts on the DMZ can access the internet without problems, ping traceroute and mail, http all is working nicely and fast. hosts on the internal LAN however are seing VERY strange things for example, check this out 9:04pm mdouhan @ [persika] ~ > traceroute www.cisco.com traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets 1 192.168.15.254 (192.168.15.254) 0.698 ms 0.532 ms 0.410 ms 2 192.168.254.254 (192.168.254.254) 0.781 ms 0.757 ms 0.744 ms 3 gw-l3-ktv-hc.koping.net (81.16.160.113) 1.210 ms 1.203 ms 1.263 ms 4 gw-l3-ktv-it.koping.net (81.16.160.6) 1.546 ms 4.123 ms 1.272 ms 5 rif3-r1-jvg-kop.arrowhead.com (81.216.90.1) 3.336 ms 2.813 ms 2.649 ms 6 www.cisco.com (198.133.219.25) 1.278 ms 2.610 ms 1.962 ms the host "persika" is connected on the internal LAN, and is located in Sweden, Europe and there is NO way it can get to www.cisco.com in 2-3 ms, and I dont have any caching or proxies or anything, besides traceroute does not care about that anyway AFAIK same traceroute from a host on the DMZ shows the correct thing as follows 9:05pm mdouhan @ [ananas] ~ > traceroute www.cisco.com traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets 1 firewall2 (192.168.254.254) 0.671 ms 0.458 ms 0.438 ms 2 gw-l3-ktv-hc.koping.net (81.16.160.113) 0.901 ms 0.931 ms 0.878 ms 3 gw-l3-ktv-it.koping.net (81.16.160.6) 1.416 ms 1.191 ms 1.388 ms 4 rif3-r1-jvg-kop.arrowhead.com (81.216.90.1) 2.345 ms 2.080 ms 2.705 ms 5 rif2-cr1-vf-kop.arrowhead.com (81.216.2.1) 1.973 ms 2.173 ms 2.263 ms 6 rif6-cr1-vf-vst.arrowhead.com (81.216.0.53) 3.785 ms 2.708 ms 2.540 ms 7 rif3-cr1-vf-oby.arrowhead.com (213.187.195.97) 3.363 ms 16.022 ms 3.862 ms 8 rif47-rs1-t4-sto.arrowhead.com (213.187.195.93) 4.769 ms 4.396 ms 3.999 ms 9 rif5-cr3-kst-sto.arrowhead.com (81.216.0.137) 5.115 ms 4.624 ms 4.762 ms 10 Gi14-1-kst-p1.sto.se.sn.net (81.216.0.113) 4.496 ms 4.577 ms 4.666 ms 11 pos2-0.vrt-p1.sto.se.sn.net (213.88.255.245) 4.687 ms 4.757 ms 4.806 ms 12 sl-gw20-sto-2-1.sprintlink.net (80.77.97.89) 4.575 ms 4.526 ms 4.576 ms 13 sl-bb21-sto-12-0.sprintlink.net (80.77.96.98) 4.969 ms 5.132 ms 5.526 ms 14 sl-bb21-cop-12-0.sprintlink.net (213.206.129.33) 14.034 ms * 13.904 ms 15 sl-bb20-cop-15-0.sprintlink.net (80.77.64.33) 13.942 ms 13.498 ms 13.966 ms 16 sl-bb21-msq-10-0.sprintlink.net (144.232.19.29) 91.125 ms 102.015 ms 93.908 ms 17 sl-bb22-rly-15-3.sprintlink.net (144.232.19.98) 96.692 ms 95.680 ms 96.615 ms 18 sl-bb25-rly-12-0.sprintlink.net (144.232.14.166) 96.692 ms 95.879 ms 95.900 ms 19 sl-bb23-sj-9-0.sprintlink.net (144.232.20.11) 227.115 ms 241.136 ms 220.680 ms 20 sl-bb25-sj-14-0.sprintlink.net (144.232.3.250) 181.269 ms 173.322 ms 164.253 ms 21 sl-gw11-sj-10-0.sprintlink.net (144.232.3.134) 172.763 ms 172.362 ms 172.324 ms 22 sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14) 166.180 ms 166.028 ms 170.228 ms 23 sjck-dirty-gw1.cisco.com (128.107.239.5) 164.721 ms 166.063 ms 166.174 ms 24 sjck-sdf-ciod-gw2.cisco.com (128.107.239.110) 172.908 ms 173.340 ms 173.284 ms 25 www.cisco.com (198.133.219.25) 174.149 ms 174.768 ms * now here is where it gets really weird, I have tries reinstalling FW1 since it seems to be the cause of the problem, I have tries STABLE, CURRENT, 5.1-R all with the same result, it does NOT work. I have tried swapping FW1 and FW2 and the problem stays the same, so it seems to be a misconfiguration on my part (or a bug but thats less likely I think) but I cannot figure out what it is. my rules are very simple on FW1 allow anything out on the external fxp interface with keep state so it can get back in. on FW2 I have a number of BIMAP statements and some NAT statements, BIMAP are for the servers where we provide services such as mail, www and ftp. Any input or ideas would be highly appreciated, this is driving me crazy - -- - ------------------------------------------------------------------------------------ Matt Douhan www.fruitsalad.org CCIE #4004 *** ping elvis *** *** elvis is alive *** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/EF0skU5PITZniCURArKOAJ9HuNWbWCJiV0PRMSpFCo5bv4P3aACfXhAn 9G8PqZQeZZ8RUIABr12VA5Q= =Kda6 -----END PGP SIGNATURE----- _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
