-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vamos lá:
PING
ACESSA
# ping -c www.google.com.br
ping: invalid count of packets to transmit: `www.google.com.br'
# ping -c 5 www.google.com.br
PING www.l.google.com (64.233.163.147): 56 data bytes
64 bytes from 64.233.163.147: icmp_seq=0 ttl=246 time=16.464 ms
64 bytes from 64.233.163.147: icmp_seq=1 ttl=246 time=15.858 ms
64 bytes from 64.233.163.147: icmp_seq=2 ttl=246 time=10.307 ms
64 bytes from 64.233.163.147: icmp_seq=3 ttl=246 time=11.087 ms
64 bytes from 64.233.163.147: icmp_seq=4 ttl=246 time=11.561 ms
- --- www.l.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.307/13.055/16.464/2.574 ms
# ping -c 5 64.233.163.147
PING 64.233.163.147 (64.233.163.147): 56 data bytes
64 bytes from 64.233.163.147: icmp_seq=0 ttl=246 time=11.294 ms
64 bytes from 64.233.163.147: icmp_seq=1 ttl=246 time=10.966 ms
64 bytes from 64.233.163.147: icmp_seq=2 ttl=246 time=11.355 ms
64 bytes from 64.233.163.147: icmp_seq=3 ttl=246 time=9.594 ms
64 bytes from 64.233.163.147: icmp_seq=4 ttl=246 time=10.722 ms
- --- 64.233.163.147 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.594/10.786/11.355/0.639 ms
NÃO ACESSA
# ping -c 5 www.uol.com.br
PING www.uol.com.br (200.221.2.45): 56 data bytes
- --- www.uol.com.br ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
# ping -c 5 200.221.2.45
PING 200.221.2.45 (200.221.2.45): 56 data bytes
- --- 200.221.2.45 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
TRACEROUTE
# traceroute www.google.com.br
traceroute: Warning: www.google.com.br has multiple addresses; using
64.233.163.147
traceroute to www.l.google.com (64.233.163.147), 64 hops max, 40 byte
packets
1 * * *
2 IG.ufscar.br (200.9.84.100) 0.736 ms 0.547 ms 0.485 ms
3 G-0-3-EG.ufscar.br (200.136.207.1) 2.213 ms 2.167 ms 2.270 ms
4 143-108-254-190.ansp.br (143.108.254.190) 9.928 ms 11.357 ms
8.314 ms
5 143.107.151.189 (143.107.151.189) 9.167 ms 8.678 ms 11.103 ms
6 as15169.sp.ptt.br (200.219.130.55) 11.608 ms 9.723 ms 9.739 ms
7 209.85.249.232 (209.85.249.232) 12.872 ms
209.85.250.246 (209.85.250.246) 10.343 ms 11.149 ms
8 72.14.233.93 (72.14.233.93) 17.324 ms 10.357 ms
72.14.233.89 (72.14.233.89) 11.459 ms
9 64.233.175.58 (64.233.175.58) 15.439 ms 11.086 ms 14.442 ms
10 bs-in-f147.google.com (64.233.163.147) 11.232 ms 10.612 ms
10.554 ms
# traceroute 64.233.163.147
traceroute to 64.233.163.147 (64.233.163.147), 64 hops max, 40 byte
packets
1 * * *
2 IG.ufscar.br (200.9.84.100) 1.109 ms 0.873 ms 0.694 ms
3 G-0-3-EG.ufscar.br (200.136.207.1) 1.531 ms 1.012 ms 1.513 ms
4 143-108-254-190.ansp.br (143.108.254.190) 9.298 ms 9.486 ms
8.528 ms
5 143.107.151.189 (143.107.151.189) 10.161 ms 18.737 ms 9.064 ms
6 as15169.sp.ptt.br (200.219.130.55) 11.519 ms 20.345 ms 10.537 ms
7 209.85.250.246 (209.85.250.246) 11.866 ms
209.85.249.232 (209.85.249.232) 14.226 ms 10.419 ms
8 72.14.233.89 (72.14.233.89) 43.640 ms 15.506 ms
72.14.233.95 (72.14.233.95) 13.289 ms
9 64.233.175.54 (64.233.175.54) 24.769 ms
64.233.175.18 (64.233.175.18) 11.389 ms 15.574 ms
10 bs-in-f147.google.com (64.233.163.147) 11.254 ms 10.800 ms 9.985 ms
# pfctl -sa | grep 64.233.163.147
all udp 200.136.226.143:56448 -> 64.233.163.147:33435
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33436
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33437
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33438
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33439
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33440
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33441
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33442
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33443
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33444
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33445
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33446
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:56448 -> 64.233.163.147:33447
SINGLE:NO_TRAFFIC
# traceroute www.uol.com.br
traceroute: Warning: www.uol.com.br has multiple addresses; using
200.221.2.45
traceroute to www.uol.com.br (200.221.2.45), 64 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
# pfctl -sa |grep 200.221.2.45
all udp 200.136.226.143:55938 -> 200.221.2.45:33458
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33459
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33460
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33461
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33462
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33463
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33464
SINGLE:NO_TRAFFIC
all udp 200.136.226.143:55938 -> 200.221.2.45:33465
SINGLE:NO_TRAFFIC
+++++++++++++++++++++++++++++++++++++++++++++++++++++=
Não fui claro em relação à clientes, desculpem-me. No caso, clientes
são as máquinas desktop dos usuários atras do NAT (do pfsense). Segue
em anexo o resultado dos mesmos comandos acima assim como os testes
com o dig
att
P.S.1: Google acessa normalmente, UOL não. Como visto no arquivo
traceroutes_clientes, a regra está em pass.
P.S.2: Sr. Trober, a solução do MTU não resolveu. Valew.
Trober escreveu:
> Senhores, após configurar o pfsense para fazer NAT (apenas
> outbound) este , o NAT, funciona. Porém somente em alguns sites.
>
> As regras em anexo.
>
> Entretanto, não acesso o site dos clientes, tão pouco a partir do
> próprio servidor.
>
> Alguns exemplos não acessados:
>
> www.uol.com.br www.yahoo.com.br gdk.thegamecreators.com
>
> Entre outros.
>
> Alguma luz?
>
> Obrigado
>
> P.S.: Tentando essas regras, o problema persiste.
>
> nat on re0 from any to any -> (re0) pass quick on re0 all keep
> state pass quick on xl0 all keep state
>
> falow
>>
- -------------------------
>>
> Olá Zhu Sha Zang!
> Cara, este seu problema está muito parecido com "double natting"
> (quando há um nat atrás de outro nat, ex: servidor atrás de ADSL).
> Contornei isso mudando o MTU da interface externa do FreeBSD para
> 1450, pois, se diferente disso (como 1500), seus usuários não vão
> conseguir fazer upload de arquivos para o Hotmail, Yahoo e
> autenticação em HTTPS.
> No underground (.dk, .ru, .pl) os caras estão usando 1300. Segundo
> o que lembro, o 1300 é para não ir contra uma das RFCs de IPv6 que
> define o MTU mínimo em 1280.
> Posso estar totalmente enganado quanto à exatidão do problema, mas
> que funciona, funciona!
> Saudações,
> Trober - - - - -
> ------------------------- Histórico:
> http://www.fug.com.br/historico/html/freebsd/ Sair da lista:
> https://www.fug.com.br/mailman/listinfo/freebsd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoUI1sACgkQ35zeJy7JhCjStACfWto/074ihSfgs8OPI0tLBMbA
nCIAn2DuxDvOI8e4C7wq6CQn2owVK34c
=564O
-----END PGP SIGNATURE-----
PING www.l.google.com (64.233.163.147) 56(84) bytes of data.
64 bytes from bs-in-f147.google.com (64.233.163.147): icmp_seq=1 ttl=245
time=19.8 ms
64 bytes from bs-in-f147.google.com (64.233.163.147): icmp_seq=2 ttl=245
time=13.6 ms
64 bytes from bs-in-f147.google.com (64.233.163.147): icmp_seq=3 ttl=245
time=12.6 ms
64 bytes from bs-in-f147.google.com (64.233.163.147): icmp_seq=4 ttl=245
time=12.9 ms
64 bytes from bs-in-f147.google.com (64.233.163.147): icmp_seq=5 ttl=245
time=14.2 ms
--- www.l.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 12.675/14.698/19.890/2.659 ms
PING 64.233.163.103 (64.233.163.103) 56(84) bytes of data.
64 bytes from 64.233.163.103: icmp_seq=1 ttl=245 time=18.0 ms
64 bytes from 64.233.163.103: icmp_seq=2 ttl=245 time=14.7 ms
64 bytes from 64.233.163.103: icmp_seq=3 ttl=245 time=12.8 ms
64 bytes from 64.233.163.103: icmp_seq=4 ttl=245 time=26.3 ms
64 bytes from 64.233.163.103: icmp_seq=5 ttl=245 time=18.8 ms
--- 64.233.163.103 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 12.825/18.172/26.346/4.639 ms
1 10.0.0.1 (10.0.0.1) 2 ms 3 ms 3 ms
2 * * *
3 IG.ufscar.br (200.9.84.100) 3 ms 2 ms 3 ms
4 G-0-3-EG.ufscar.br (200.136.207.1) 3 ms 3 ms 3 ms
5 143-108-254-190.ansp.br (143.108.254.190) 11 ms * 14 ms
6 143.107.151.189 (143.107.151.189) 17 ms 20 ms *
7 as15169.sp.ptt.br (200.219.130.55) 15 ms 14 ms 15 ms
8 209.85.250.246 (209.85.250.246) 15 ms (TOS=128!) 14 ms 16 ms
9 72.14.233.95 (72.14.233.95) 14 ms 72.14.233.89 (72.14.233.89) 20 ms 13 ms
10 64.233.175.58 (64.233.175.58) 24 ms 64.233.175.54 (64.233.175.54) 17 ms
15 ms
11 64.233.163.104 (64.233.163.104) 14 ms (TOS=0!) 14 ms 12 ms
; <<>> DiG 9.4.3-P2 <<>> www.google.com.br
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41381
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com.br. IN A
;; ANSWER SECTION:
www.google.com.br. 253576 IN CNAME www.google.com.
www.google.com. 80039 IN CNAME www.l.google.com.
www.l.google.com. 91 IN A 64.233.163.147
www.l.google.com. 91 IN A 64.233.163.99
www.l.google.com. 91 IN A 64.233.163.103
www.l.google.com. 91 IN A 64.233.163.104
;; AUTHORITY SECTION:
l.google.com. 82109 IN NS f.l.google.com.
l.google.com. 82109 IN NS c.l.google.com.
l.google.com. 82109 IN NS g.l.google.com.
l.google.com. 82109 IN NS e.l.google.com.
l.google.com. 82109 IN NS a.l.google.com.
l.google.com. 82109 IN NS d.l.google.com.
l.google.com. 82109 IN NS b.l.google.com.
;; Query time: 5 msec
;; SERVER: 200.136.226.155#53(200.136.226.155)
;; WHEN: Wed May 20 11:18:08 2009
;; MSG SIZE rcvd: 259
; <<>> DiG 9.4.3-P2 <<>> www.google.com.br soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43622
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com.br. IN SOA
;; ANSWER SECTION:
www.google.com.br. 253506 IN CNAME www.google.com.
www.google.com. 79969 IN CNAME www.l.google.com.
;; AUTHORITY SECTION:
l.google.com. 60 IN SOA e.l.google.com.
dns-admin.google.com. 1380921 900 900 1800 60
;; Query time: 166 msec
;; SERVER: 200.136.226.155#53(200.136.226.155)
;; WHEN: Wed May 20 11:19:19 2009
;; MSG SIZE rcvd: 131
; <<>> DiG 9.4.3-P2 <<>> @208.67.222.222 www.google.com.br soa
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
PING www.uol.com.br (200.221.2.45) 56(84) bytes of data.
--- www.uol.com.br ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
PING 200.98.249.120 (200.98.249.120) 56(84) bytes of data.
--- 200.98.249.120 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4000ms
1 10.0.0.1 (10.0.0.1) 9 ms 2 ms 2 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 *
; <<>> DiG 9.4.3-P2 <<>> www.uol.com.br
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31662
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;www.uol.com.br. IN A
;; ANSWER SECTION:
www.uol.com.br. 300 IN A 200.221.2.45
www.uol.com.br. 300 IN A 200.98.249.120
;; AUTHORITY SECTION:
uol.com.br. 2076 IN NS eliot.uol.com.br.
uol.com.br. 2076 IN NS charles.uol.com.br.
uol.com.br. 2076 IN NS borges.uol.com.br.
;; ADDITIONAL SECTION:
eliot.uol.com.br. 2076 IN A 200.221.11.98
borges.uol.com.br. 2076 IN A 200.147.255.105
;; Query time: 24 msec
;; SERVER: 200.136.226.155#53(200.136.226.155)
;; WHEN: Wed May 20 11:18:19 2009
;; MSG SIZE rcvd: 159
; <<>> DiG 9.4.3-P2 <<>> www.uol.com.br soa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31659
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.uol.com.br. IN SOA
;; AUTHORITY SECTION:
uol.com.br. 3584 IN SOA eliot.uol.com.br.
root.uol.com.br. 2009052000 7200 3600 432000 3600
;; Query time: 3 msec
;; SERVER: 200.136.226.155#53(200.136.226.155)
;; WHEN: Wed May 20 11:19:24 2009
;; MSG SIZE rcvd: 79
; <<>> DiG 9.4.3-P2 <<>> @208.67.222.222 www.uol.com.br soa
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
all udp 64.233.163.104:33467 <- 10.0.0.98:43548 NO_TRAFFIC:SINGLE
all udp 10.0.0.98:43548 -> 200.136.226.143:47365 -> 64.233.163.104:33467
SINGLE:NO_TRAFFIC
3. 003047 rule 70/0(match): pass in on xl0: 10.0.0.98.43561 >
200.98.249.120.33467: UDP, length 12
all udp 200.98.249.120:33464 <- 10.0.0.98:43561 NO_TRAFFIC:SINGLE
all udp 10.0.0.98:43561 -> 200.136.226.143:62780 -> 200.98.249.120:33464
SINGLE:NO_TRAFFIC
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
