Specific vlan traffic being blocked

sysc

We have a specific vlan that is being blanket blocked no matter what we do after upgrading to 2.0-RELEASE.

We've tried deleting/recreating
Blanket pass using a /16 subnet

Logs still show it being blocked.

podilarius

We are going to need to get some details if we are going to help you out. Like, what is the VLAN id and the subnet? What rules are on that interface? Can we get screen shots? What outbound NAT type are you using?

sysc

@186 pass in log quick on em0 inet from 172.25.8.0/22 to any flags S/SA keep state label "USER_RULE"

This is what is showing up in the logs.

podilarius

@sysc:

@186 pass in log quick on em0 inet from 172.25.8.0/22 to any flags S/SA keep state label "USER_RULE"

This is what is showing up in the logs.

Is that a LAN rule? There should be another tab that has the vlan rules.still need a bit more detail still.

sysc

VLAN rule is set to allow any to any

The above paste was actually just the log entry that is showing up for any connection from that vlan which also shows the rule.

I should also mention that this vlan has been setup for month(s) and working until the most recent upgrade. I had been running the 2.0 ALPHA/BETA releases for 6 months.

sysc

Below is a packet capture using Medium detail

09:29:03.637114 IP (tos 0x0, ttl 63, id 14458, offset 0, flags [none], proto ICMP (1), length 84)
    172.25.11.49 > 74.125.225.48: ICMP echo request, id 28965, seq 35, length 64
09:29:04.639540 IP (tos 0x0, ttl 63, id 44347, offset 0, flags [none], proto ICMP (1), length 84)
    172.25.11.49 > 74.125.225.48: ICMP echo request, id 28965, seq 36, length 64
09:29:05.645619 IP (tos 0x0, ttl 63, id 58943, offset 0, flags [none], proto ICMP (1), length 84)
    172.25.11.49 > 74.125.225.48: ICMP echo request, id 28965, seq 37, length 64
09:29:06.651693 IP (tos 0x0, ttl 63, id 33126, offset 0, flags [none], proto ICMP (1), length 84)
    172.25.11.49 > 74.125.225.48: ICMP echo request, id 28965, seq 38, length 64
09:29:06.691997 IP (tos 0x0, ttl 63, id 63849, offset 0, flags [DF], proto TCP (6), length 569)
    172.25.11.49.64055 > 172.16.0.5.443: Flags [P.], cksum 0xd70b (correct), ack 181130287, win 65535, options [nop,nop,TS val 411065110 ecr 255214162], length 517
09:29:07.088762 IP (tos 0x0, ttl 63, id 60993, offset 0, flags [DF], proto TCP (6), length 48)

sysc

I should also mention I can reach anything internal via this vlan just nothing outside of our network.

podilarius

What are you using for your outbound nat settings?

sysc

o..m..g. I am a moron, thanks pod.