Ran into a similar issue on my ERL when I used egress in my pf rules. Ended up trunking the ethernet ports using aggr(4) and switched to using that interface in my rules, got failover as a bonus. Still not sure why egress behaves this way and if its a bug or my own misunderstanding. Running OpenBSD 6.5-current (GENERIC.MP). If this doesn't apply to your situation apologies and disregard.
On Mon, Jul 29, 2019 at 03:05:14PM -0400, Predrag Punosevac wrote:
Hi Misc, I am using Edgerouter lite as a firewall/DNS cashing resolver for one of our remote location ubnt1# uname -mrsv OpenBSD 6.5 GENERIC.MP#0 octeon The desktops behind the firewall have to use Kerberised SSH to perform some work on one of .mil servers. I opened egress ports kerberos, klogin, kshell TCP protocol as well as kerberos UDP. After the work is finished and desktops are "logged out" routing tables (dns) are in a bad state on the firewall. A simple pfctl -F all -f /etc/pf.conf fixes the problem and desktops can again do DNS resolving and surfing the Internet. Could somebody give me a head start how to go about further trouble shooting and fixing the problem? Obviously flashing states is not very convenient. Most Kind Regards, Predrag Punosevac
-- Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.
signature.asc
Description: PGP signature
