Hi all,
I have an issue with kernel pppoe.
When i'm in the LAN, all is going out and coming back sweetly.
When i'm right on the gateway, DNS works ( udp ), icmp works, but I can't
get TCP to work.
My setup is pretty simple:
CLOWN-----------soekris gateway-----------LAN
(vr0)pppoe0 = external interface
vr1 = internal interface
Here is a snip of what's going on:
on the lan:
lerequin# uname -a
OpenBSD laptop 4.5 GENERIC#118 i386
lerequin# telnet google.ca 80
Trying 64.233.161.104...
Connected to google.ca.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
lerequin#
on the gateway:
# uname -a
OpenBSD lataupe.xxxxxxx.com 4.5 GENERIC#1749 i386
# ping google.nl
PING google.nl (216.239.59.104): 56 data bytes
64 bytes from 216.239.59.104: icmp_seq=0 ttl=244 time=159.768 ms
--- google.nl ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 159.768/159.768/159.768/0.000 ms
# telnet google.nl 80
Trying 74.125.77.104...
^C
# telnet openbsd.org 80
Trying 199.185.137.3...
^C
# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> freebsd.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: freebsd.org
Address: 69.147.83.40
> exit
#
tcp connetion *hangs.
# cat /etc/hostname.vr0
up
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev vr0 authproto pap \
authname 'xxx...@acanac.net' authkey 'xxxxxxx' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
#
# netstat -rnfinet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 0.0.0.1 UGS 7 1337177 - 8 pppoe0
10.1.1/24 link#2 UC 4 0 - 4 vr1
10.1.1.1 00:00:24:c9:32:69 UHLc 0 14 - 4 lo0
10.1.1.25 00:22:15:8d:93:ff UHLc 0 0 - 4 vr1
10.1.1.204 00:0b:6b:36:72:ab UHLc 2 264074 - 4 vr1
10.1.1.207 link#2 UHLc 1 440518 - 4 vr1
67.XXX.8.1 67.XXX.13.124 UH 0 0 - 4 pppoe0
127/8 127.0.0.1 UGRS 0 0 33204 8 lo0
127.0.0.1 127.0.0.1 UH 2 1899 33204 4 lo0
224/4 127.0.0.1 URS 0 0 33204 8 lo0
#
pf rulz striped down for the post:
# cat /etc/pf.conf
ext_if="pppoe0"
int_if="vr1"
table <lan_sub> { 10.1.1.0/24 }
table <fuckers> persist
set skip on lo0
set debug loud
#scrub all no-df random-id fragment reassemble reassemble tcp
scrub out log (all) on $ext_if max-mss 1440
nat log (all) on $ext_if from !($ext_if) to any -> ($ext_if)
block drop log (all) all
block drop quick log (all) inet6
block drop quick log (all) from <fuckers>
pass in quick log (all) on $int_if modulate state
pass out quick log (all) on $ext_if modulate state
pass in quick log (all) on $ext_if proto tcp from any port > 1024 to
($ext_if) port ssh flags S/SA modulate state (max-src-conn 5,
max-src-conn-rate 10/5, overload <fuckers> flush global)
pass in quick log (all) inet proto icmp all icmp-type echoreq modulate state
while doing a telnet google.com 80 on the soekris:
# tcpdump -i pflog0 -X -s 1500 -e -vvv host google.com
tcpdump: listening on pflog0, link-type PFLOG
14:51:04.002160 rule 5/(match) [uid 0, pid 24578] pass out on pppoe0:
dsl-67-XXX-13-124.acanac.net.56197 > yx-in-f100.google.com.www: S [tcp sum
ok] 4038451558:4038451558(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 697898457 0> (DF) [tos 0x10] (ttl 64, id 51129, len 64)
14:51:04.059010 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0:
yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok]
3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp
1821837804 697898457,nop,wscale 6> (ttl 51, id 27033, len 60)
14:51:04.383735 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0:
yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok]
3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp
1821838129 697898457,nop,wscale 6> (ttl 51, id 27034, len 60)
14:51:04.984323 rule 0/(match) [uid 0, pid 24578] nat in on pppoe0:
yx-in-f100.google.com.www > 0.0.0.0.41797: S [tcp sum ok]
3120326047:3120326047(0) ack 4038451559 win 5672 <mss 1430,sackOK,timestamp
1821838729 697898457,nop,wscale 6> (ttl 51, id 27035, len 60)
the synack comes back, but it doesn't reach telnet. so telnet keep sending
syn until it reaches the timeout.
It looks like the packets are natted back to 0.0.0.0 instead of the pppoe0
ip address and I guess telnet is not listening 0.0.0.0.
/* Is there any thing obvious i'm missing here ??? */
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.37330 qy-in-f104.googl.www SYN_SENT
at this point I don't know more.
......... anyone?
It's probably not related, but pppoe(4) keeps spamming /var/log/messages
with this:
May 15 15:59:00 lataupe /bsd: pppoe: alien host unique tag, no session found
May 15 15:59:00 lataupe /bsd: pppoe: received PADO but could not find
request for it
May 15 15:59:00 lataupe /bsd: pppoe: alien host unique tag, no session found
May 15 15:59:01 lataupe ppp[24983]: Warning: Sending empty PAP authname!
isp related ?
thanks
