Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No outgoing traffic with alpha from 10-25-09

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    2 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      _igor_
      last edited by

      After a fresh install with the iso from 20-25-09 i noticed that the wan-interface connects to my ISP. ok.

      But gateway (WAN) is always off. Had this before, no change to older firmware.
      The gateway is set by my isp from 127.0.0.2 to 195.x.x.x. All ok.

      ping 195.x.x.x results in "no route to host". Doing the same ping with its canonical name i get "cannot resolve".
      Same result doing on the router and from local machine.
      So i can stat that no package is passed to my wan-gateway. Nor DNS is working.
      Setting up the same environment on 1.3.2 works like charm.
      rules.debug is here:

      #System aliases
       
      loopback = "{ lo0 }"
      WAN = "{ pppoe0 }"
      LAN = "{ bge1 }"

      User Aliases

      table <drucker>{  10.112.35.10 }
      drucker = "<drucker>"
      table <igor>{  10.112.35.13 }
      igor = "<igor>"
      table <intranet>{  10.112.35.0/27 }
      intranet = "<intranet>"
      localhost = "{ 127.0.0.1 }"

      set loginterface pppoe0
      set loginterface bge1
      set optimization normal
      set limit states 204000

      set skip on pfsync0

      scrub in on $WAN all no-df random-id max-mss 1460 fragment reassemble
      scrub in on $LAN all no-df random-id  fragment reassemble

      nat-anchor "natearly/"
      nat-anchor "natrules/
      "

      Outbound NAT rules

      Subnets to NAT

      #SSH Lockout Table
      table <sshlockout>persist

      Load balancing anchor

      rdr-anchor "relayd/*"

      TFTP proxy

      rdr-anchor "tftp-proxy/*"
      table <direct_networks>{ 10.112.35.0/27 }

      NAT Inbound Redirects

      Reflection redirects

      Reflection redirects

      Reflection redirects

      UPnPd rdr anchor

      rdr-anchor "miniupnpd"

      anchor "relayd/*"
      anchor "firewallrules"
      #–-------------------------------------------------------------------------

      default deny rules

      #---------------------------------------------------------------------------
      block in log all label "Default deny rule"
      block out log all label "Default deny rule"

      We use the mighty pf, we cannot be fooled.

      block quick proto { tcp, udp } from any port = 0 to any
      block quick proto { tcp, udp } from any to any port = 0

      snort2c

      table <snort2c>persist
      block quick from <snort2c>to any label "Block snort2c hosts"
      block quick from any to <snort2c>label "Block snort2c hosts"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"

      SSH lockout

      block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
      table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
      table <bogons>persist file "/etc/bogons"

      block bogon networks

      http://www.cymru.com/Documents/bogon-bn-nonagg.txt

      anchor "wanbogons"
      block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"

      block anything from private networks on interfaces with the option set

      antispoof for $WAN
      block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      antispoof for bge1

      allow access to DHCP server on LAN

      anchor "dhcpserverLAN"
      pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
      pass in on $LAN proto udp from any port = 68 to 10.112.35.13 port = 67 label "allow access to DHCP server"
      pass out on $LAN proto udp from 10.112.35.13 port = 67 to any port = 68 label "allow access to DHCP server"
      anchor "spoofing"

      loopback

      anchor "loopback"
      pass in on $loopback all label "pass loopback"
      pass out on $loopback all label "pass loopback"

      anchor "firewallout"

      let out anything from the firewall host itself and decrypted IPsec traffic

      pass out all keep state allow-opts label "let out anything from firewall host itself"

      make sure the user cannot lock himself out of the webConfigurator or SSH

      anchor "anti-lockout"
      pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

      NAT Reflection rules

      pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

      User-defined rules follow

      pass  in  quick  on $LAN reply-to ( bge1 10.112.35.14 )  from  $intranet to any keep state  label "USER_RULE: Default allow LAN to any rule"

      VPN Rules

      package manager late specific hook

      anchor "packagelate"

      anchor "limitingesr"

      uPnPd

      anchor "miniupnpd"</bogons></bogons></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></direct_networks></sshlockout></intranet></intranet></igor></igor></drucker></drucker>

      Any help appreciated, at the moment i'm completly lost in space…

      1 Reply Last reply Reply Quote 0
      • _
        _igor_
        last edited by

        Differences between working 1.3.2 and actual 2.0 firmware

        1.3.2 routing table:

        Destination Gateway Flags Refs Use Mtu Netif Expire
        default      195.14.226.5         UGS  0 8090942 1492 ng0
        10.112.35.0/27   link#1                 UC    0 0      1500 em0
        10.112.35.2 00:23:32:9e:c4:74 UHLW 1 47043 1500 em0 759
        10.112.35.3 00:11:24:e6:45:80 UHLW 1 132  1500 em0 769
        10.112.35.6 00:1e:58:48:3d:9e UHLW 1 2633  1500 em0 1167
        10.112.35.12 00:18:f8:13:71:46 UHLW 1 1      1500 em0 993
        87.79.167.226   lo0                         UHS  0 0      16384 lo0
        127.0.0.1         127.0.0.1                 UH    0 0         16384 lo0
        195.14.226.5 87.79.167.226         UH    1 2430 1492 ng0

        2.0 routing-table:
        default         195.14.226.5       UGS    0 55    1492        pppoe0
        10.112.35.0/27   link#3               U         6 208 1500         bge1
        10.112.35.13   link#3               UHS         0 45 16384 lo0
        87.79.58.31   link#8               UHS         0 0 16384 lo0
        127.0.0.1           link#5               UH         0 52 16384 lo0
        127.0.0.2         127.0.0.1               UHS         0 0 16384 lo0
        195.14.226.5   link#8               UH         0 45 1492 pppoe0

        What are this links meaning? Looking at 1.3.2 i see only one link, on 2.0 lots of this links with strange numbers.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.