No outgoing traffic with alpha from 10-25-09



  • After a fresh install with the iso from 20-25-09 i noticed that the wan-interface connects to my ISP. ok.

    But gateway (WAN) is always off. Had this before, no change to older firmware.
    The gateway is set by my isp from 127.0.0.2 to 195.x.x.x. All ok.

    ping 195.x.x.x results in "no route to host". Doing the same ping with its canonical name i get "cannot resolve".
    Same result doing on the router and from local machine.
    So i can stat that no package is passed to my wan-gateway. Nor DNS is working.
    Setting up the same environment on 1.3.2 works like charm.
    rules.debug is here:

    #System aliases
     
    loopback = "{ lo0 }"
    WAN = "{ pppoe0 }"
    LAN = "{ bge1 }"

    User Aliases

    table <drucker>{  10.112.35.10 }
    drucker = "<drucker>"
    table <igor>{  10.112.35.13 }
    igor = "<igor>"
    table <intranet>{  10.112.35.0/27 }
    intranet = "<intranet>"
    localhost = "{ 127.0.0.1 }"

    set loginterface pppoe0
    set loginterface bge1
    set optimization normal
    set limit states 204000

    set skip on pfsync0

    scrub in on $WAN all no-df random-id max-mss 1460 fragment reassemble
    scrub in on $LAN all no-df random-id  fragment reassemble

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ 10.112.35.0/27 }

    NAT Inbound Redirects

    Reflection redirects

    Reflection redirects

    Reflection redirects

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    anchor "firewallrules"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    anchor "wanbogons"
    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    antispoof for bge1

    allow access to DHCP server on LAN

    anchor "dhcpserverLAN"
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 10.112.35.13 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 10.112.35.13 port = 67 to any port = 68 label "allow access to DHCP server"
    anchor "spoofing"

    loopback

    anchor "loopback"
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    anchor "firewallout"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    anchor "anti-lockout"
    pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

    NAT Reflection rules

    pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

    User-defined rules follow

    pass  in  quick  on $LAN reply-to ( bge1 10.112.35.14 )  from  $intranet to any keep state  label "USER_RULE: Default allow LAN to any rule"

    VPN Rules

    package manager late specific hook

    anchor "packagelate"

    anchor "limitingesr"

    uPnPd

    anchor "miniupnpd"</bogons></bogons></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></direct_networks></sshlockout></intranet></intranet></igor></igor></drucker></drucker>

    Any help appreciated, at the moment i'm completly lost in space…



  • Differences between working 1.3.2 and actual 2.0 firmware

    1.3.2 routing table:

    Destination Gateway Flags Refs Use Mtu Netif Expire
    default      195.14.226.5         UGS  0 8090942 1492 ng0
    10.112.35.0/27   link#1                 UC    0 0      1500 em0
    10.112.35.2 00:23:32:9e:c4:74 UHLW 1 47043 1500 em0 759
    10.112.35.3 00:11:24:e6:45:80 UHLW 1 132  1500 em0 769
    10.112.35.6 00:1e:58:48:3d:9e UHLW 1 2633  1500 em0 1167
    10.112.35.12 00:18:f8:13:71:46 UHLW 1 1      1500 em0 993
    87.79.167.226   lo0                         UHS  0 0      16384 lo0
    127.0.0.1         127.0.0.1                 UH    0 0         16384 lo0
    195.14.226.5 87.79.167.226         UH    1 2430 1492 ng0

    2.0 routing-table:
    default         195.14.226.5       UGS    0 55    1492        pppoe0
    10.112.35.0/27   link#3               U         6 208 1500         bge1
    10.112.35.13   link#3               UHS         0 45 16384 lo0
    87.79.58.31   link#8               UHS         0 0 16384 lo0
    127.0.0.1           link#5               UH         0 52 16384 lo0
    127.0.0.2         127.0.0.1               UHS         0 0 16384 lo0
    195.14.226.5   link#8               UH         0 45 1492 pppoe0

    What are this links meaning? Looking at 1.3.2 i see only one link, on 2.0 lots of this links with strange numbers.


Log in to reply