OPT cannot access internet
-
Here some code:
# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 219.93.218.176 UGS 0 11684 ng0 60.54.177.197 lo0 UHS 0 0 lo0 127.0.0.1 127.0.0.1 UH 0 43 lo0 192.168.8.0/24 link#2 UC 0 0 rl0 192.168.8.199 00:14:a5:73:f2:09 UHLW 1 3947 rl0 1048 192.168.8.210 00:60:b3:58:d2:46 UHLW 1 165 rl0 1115 192.168.8.214 00:12:0e:a9:00:a5 UHLW 1 59 rl0 1077 192.168.8.219 00:30:0a:de:7e:e4 UHLW 1 49 rl0 1076 192.168.8.222 00:17:c4:22:bd:5c UHLW 1 12724 rl0 1024 192.168.9.0/24 link#3 UC 0 0 rl1 192.168.9.31 00:1e:8c:c8:cb:89 UHLW 1 6 rl1 1100 219.93.218.176 60.54.177.197 UH 1 25 ng0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%rl0/64 link#2 UC rl0 fe80::222:b0ff:fece:1309%rl0 00:22:b0:ce:13:09 UHL lo0 fe80::%rl1/64 link#3 UC rl1 fe80::221:91ff:feeb:e52b%rl1 00:21:91:eb:e5:2b UHL lo0 fe80::%rl2/64 link#4 UC rl2 fe80::222:b0ff:fece:de2%rl2 00:22:b0:ce:0d:e2 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#7 UHL lo0 fe80::%ng0/64 link#10 UC ng0 fe80::213:d4ff:fe43:31ca%ng0 link#10 UHL lo0 ff01:2::/32 link#2 UC rl0 ff01:3::/32 link#3 UC rl1 ff01:4::/32 link#4 UC rl2 ff01:7::/32 ::1 UC lo0 ff01:a::/32 link#10 UC ng0 ff02::%rl0/32 link#2 UC rl0 ff02::%rl1/32 link#3 UC rl1 ff02::%rl2/32 link#4 UC rl2 ff02::%lo0/32 ::1 UC lo0 ff02::%ng0/32 link#10 UC ng0pfctl -sr | grep rl1
# pfctl -sr | grep rl1 block drop in on ! rl1 inet from 192.168.9.0/24 to any block drop in on rl1 inet6 from fe80::221:91ff:feeb:e52b to any pass out quick on rl1 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on rl1 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on rl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" pass in quick on rl1 inet from 192.168.9.0/24 to any flags S/SA keep state label "USER_RULE: OPT1 -> Any" pass in quick on rl1 inet proto icmp from 192.168.9.0/24 to 192.168.9.8 keep state label "USER_RULE: OPT1 to ping firewall" pass in quick on rl1 inet proto tcp from 192.168.9.0/24 to 192.168.9.8 port = domain flags S/SA keep state label "USER_RULE: OP T1 to DNS on firewall" pass in quick on rl1 inet proto icmp from 192.168.9.0/24 to 192.168.8.0/24 keep state label "USER_RULE: Ping from OPT1 to LAN" pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to l ocalhost"pfctl -sn
# pfctl -sn nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on rl2 inet from 192.168.8.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on ng0 inet from 192.168.8.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on rl2 inet from 192.168.8.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on ng0 inet from 192.168.8.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on rl2 inet from 192.168.8.0/24 to any -> (ng0) round-robin nat on ng0 inet from 192.168.8.0/24 to any -> (ng0) round-robin nat on rl2 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on ng0 inet from 192.168.9.0/24 port = isakmp to any port = isakmp -> (ng0) port 500 round-robin nat on rl2 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on ng0 inet from 192.168.9.0/24 port = 5060 to any port = 5060 -> (ng0) port 5060 round-robin nat on rl2 inet from 192.168.9.0/24 to any -> (ng0) round-robin nat on ng0 inet from 192.168.9.0/24 to any -> (ng0) round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on rl0 proto tcp from any to <vpns>port = ftp no rdr on rl0 proto tcp from <onetoonelist>to any port = ftp rdr on rl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 no rdr on rl1 proto tcp from any to <vpns>port = ftp no rdr on rl1 proto tcp from <onetoonelist>to any port = ftp rdr on rl1 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8022 rdr on ng0 inet proto tcp from any to any port = domain -> 192.168.9.35 rdr on ng0 inet proto tcp from any to any port = http -> 192.168.9.31 port 7778 rdr on ng0 inet proto tcp from any to any port = 7777 -> 192.168.9.31 rdr on ng0 inet proto tcp from any to any port = 7778 -> 192.168.9.31 rdr on ng0 inet proto tcp from any to any port = 8080 -> 192.168.9.20 rdr on ng0 inet proto tcp from any to any port = 8081 -> 192.168.9.32 port 80 rdr on ng0 inet proto tcp from any to any port = 18022 -> 192.168.9.34 port 2022 rdr on ng0 inet proto tcp from any to any port 28880:28889 -> 192.168.9.31 port 28880:28889 rdr on ng0 inet proto tcp from any to any port = http -> 192.168.9.34 port 2022 rdr on ng0 inet proto tcp from any to 60.54.177.197 port 4662:4681 -> 192.168.8.99 port 4662:4681 rdr on ng0 inet proto udp from any to 60.54.177.197 port 4662:4681 -> 192.168.8.99 port 4662:4681 rdr on ng0 inet proto tcp from any to any port 6750:6859 -> 192.168.9.33 port 6750:6859 rdr on ng0 inet proto udp from any to any port 6750:6859 -> 192.168.9.33 port 6750:6859 rdr on ng0 inet proto tcp from any to any port 6890:6999 -> 192.168.9.34 port 6890:6999 rdr on ng0 inet proto udp from any to any port 6890:6999 -> 192.168.9.34 port 6890:6999 rdr on ng0 inet proto tcp from any to ! (ng0) port = http -> 127.0.0.1 port 80 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all rdr on ng0 inet proto tcp from any to (ng0) port = 8181 -> 127.0.0.1 port 8181 binat on ng0 inet from 192.168.9.0/24 to any -> 60.54.177.0/24 #</onetoonelist></vpns></onetoonelist></vpns>Hope this can solve my problem. ;)
Just curios, why my static ip from isp use loopback to connect to internet? -
Rules are ok but it seems there is no NAT set up for 192.168.9.0/24 -> Internet
Add it on Firewall->NAT->Outbound -
According to this pictures he posted he ticked 'manual outbound NAT' AON but didn't tell why.
I guess it's still there… -
As i work as technical team, i regularly use motto 'try and error' and if i cannot solve the problem, i'll post in forum. Share any problem that i faced.
-
Seems to be the difference between a "technical team" and an "engineering team". ;D ;D ;D SCNR
Honestly, I pointed you to it and your answer was "I follow what said.". Try to get that in line with your statement above.
-
When i ping from OPT1 seem it can resolve yahoo.com to ip but it 'cannot go out'.
-
Did you disable manual outbound?
Or at create an outbound NAT rule for the OPT subnet? -
Result still same even i set auto. And want to test and set manual. When i apply result same as i use auto, no different at all. Any idea? Headache think about this problem.
–----------------
Mzar -
According to this pictures he posted he ticked 'manual outbound NAT' AON but didn't tell why.
I guess it's still there…I am sorry, I missed it.
-
I use nmap from server OPT1 and this is result:
[root@kerapu ~]# nmap 192.168.9.8 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2009-07-01 11:31 MYT Interesting ports on 192.168.9.8: (The 1656 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 441/tcp open decvms-sysmgt MAC Address: 00:21:91:EB:E5:2B (Unknown) Nmap run completed -- 1 IP address (1 host up) scanned in 21.250 seconds [root@kerapu ~]#How to open port 80,443 on OPT1?
-
Still stuck with OPT1 ??? ???
-
Same as always: allow TCP from LAN net to any IP with port 80 destination (HTTP) and similar for HTTPS.
If it doesn't work then you seem to have scrumbled a lot. Try a fresh and clean install instead.
