man 4 pppoe - you're missing part of the pf.conf file:
MTU/MSS ISSUES
Problems can arise on machines with private IPs connecting to the
Inter-
net via a machine running both Network Address Translation (NAT) and
pppoe. Standard Ethernet uses a Maximum Transmission Unit (MTU) of
1500
bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead.
This
leaves a maximum MTU of 1492. pppoe sets the MTU on its interface to
1492 as a matter of course. However, machines connecting on a private
LAN will still have their MTUs set to 1500, causing conflict.
While pppoe(8) has an internal option, ``mssfixup'', which is enabled
by
default and takes care of this, pppoe users have to rely on other
meth-
ods. Using a packet filter, the Maximum Segment Size (MSS) can be set
(clamped) to the required value. The following rule in pf.conf(5)
would
set the MSS to 1440:
scrub out on pppoe0 max-mss 1440
Although in theory the maximum MSS over a PPPoE interface is 1452
bytes,
1440 appears to be a safer bet. Note that setting the MSS this way
can
have undesirable effects, such as interfering with the OS detection
fea-
tures of pf(4).
On Thu, 9 Oct 2008 10:11:38 +0100, gm_sjo <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I am testing my new OpenBSD router in a simple NAT configuration but I
> am getting some strange results. The client machine is a Windows XP
> laptop and the behaviour is that only a handful of websites render
> (google, for example), 99% that i've tried do not. FTP appears to be
> working fine. It doesn't appear to be a local client configuration
> issue as when I point to an alternate NAT gateway, there are no
> problems.
>
> Here is my configuration :-
>
> -bash-3.2# ifconfig -A (stripped slightly)
> pppoe1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
> dev: fxp2 state: session
> sid: 0x6 PADI retries: 0 PADR retries: 0 time: 12:00:53
> sppp: phase network authproto chap authname "xxxxx"
> groups: pppoe egress
> inet6 fe80::204:23ff:fecb:1cde%pppoe1 -> prefixlen 64 scopeid
0x9
> inet 90.155.88.39 --> 81.187.81.72 netmask 0xffffffff
> fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:02:b3:13:fc:0d
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet6 fe80::202:b3ff:fe13:fc0d%fxp2 prefixlen 64 scopeid 0x5
> em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:04:23:cb:1c:de
> trunk: trunkdev trunk0
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::204:23ff:fecb:1cde%em0 prefixlen 64 scopeid 0x1
> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:04:23:cb:1c:de
> trunk: trunkdev trunk0
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::204:23ff:fecb:1c7d%em1 prefixlen 64 scopeid 0x2
> trunk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:04:23:cb:1c:de
> trunk: trunkproto loadbalance
> trunkport em1 active
> trunkport em0 master,active
> groups: trunk
> media: Ethernet autoselect
> status: active
> inet6 fe80::204:23ff:fecb:1cde%trunk0 prefixlen 64 scopeid 0xb
> vlan1020: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:04:23:cb:1c:de
> vlan: 1020 priority: 0 parent interface: trunk0
> groups: vlan
> inet6 fe80::204:23ff:fecb:1cde%vlan1020 prefixlen 64 scopeid 0xe
> inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
>
>
> -bash-3.2# route show -inet (stripped)
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Mtu
> Interface
> default careless.aaisp.net UGS 1 8539 -
> pppoe1
> 0.0.0.1 default UH 0 0 -
> pppoe0
> careless.aaisp.net 90.155.88.39 UH 1 2 -
> pppoe1
>
> (pppoe0 is not currently in-use)
>
>
> -bash-3.2# cat /etc/pf.conf
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> nat on pppoe1 from vlan1020:network to any -> (pppoe1)
> rdr pass on vlan1020 proto tcp from any to any port ftp -> 127.0.0.1 port
> 8021
> anchor "ftp-proxy/*"
>
>
>
>
> Scenario:-
>
> - Windows client sitting on a 802.1q tagged network.
> - Vlan ID is 1020 and is set to be the default vlan on the switch port
> its attached to.
> - Default gw on client is 192.168.10.1
> - trunk0 on firewall is configured as a trunk on the switch (em0/em1),
> albeit not 802.3ad (not sure on standard)
> - Client can ping any host on the internet
> - Client appears to be able to connect to any internet host on port
> 80, and a 'GET /' works (albeit often to a http 1.1 error as you'd
> expect)
> - Only a couple of the website i've tried actually render in a
> browser, google does for example.
> - I can grab small text files (<1KB) from a site, but larger ones
> don't work. Looks like size is relevant.
> - Connection works fine from the firewall itself, can grab anything
> from anywhere with no issue (does this rule out MTU issues on the WAN
> link?)
>
>
> I don't have any tcpdump or debug data handy where I am at the moment,
> but can obtain some later today upon request.
>
> Any thoughts on how I can debug this? Any more info I can provide to
help?
>
> Thanks in advance!
