No outgoing traffic with alpha from 10-25-09

_igor_

After a fresh install with the iso from 20-25-09 i noticed that the wan-interface connects to my ISP. ok.

But gateway (WAN) is always off. Had this before, no change to older firmware.
The gateway is set by my isp from 127.0.0.2 to 195.x.x.x. All ok.

ping 195.x.x.x results in "no route to host". Doing the same ping with its canonical name i get "cannot resolve".
Same result doing on the router and from local machine.
So i can stat that no package is passed to my wan-gateway. Nor DNS is working.
Setting up the same environment on 1.3.2 works like charm.
rules.debug is here:

#System aliases
 
loopback = "{ lo0 }"
WAN = "{ pppoe0 }"
LAN = "{ bge1 }"

User Aliases

table <drucker>{  10.112.35.10 }
drucker = "<drucker>"
table <igor>{  10.112.35.13 }
igor = "<igor>"
table <intranet>{  10.112.35.0/27 }
intranet = "<intranet>"
localhost = "{ 127.0.0.1 }"

set loginterface pppoe0
set loginterface bge1
set optimization normal
set limit states 204000

set skip on pfsync0

scrub in on $WAN all no-df random-id max-mss 1460 fragment reassemble
scrub in on $LAN all no-df random-id  fragment reassemble

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

Subnets to NAT

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <direct_networks>{ 10.112.35.0/27 }

NAT Inbound Redirects

Reflection redirects

Reflection redirects

Reflection redirects

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "firewallrules"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

anchor "wanbogons"
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for bge1

allow access to DHCP server on LAN

anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 10.112.35.13 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 10.112.35.13 port = 67 to any port = 68 label "allow access to DHCP server"
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on bge1 from any to (bge1) keep state label "anti-lockout rule"

NAT Reflection rules

pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

User-defined rules follow

pass  in  quick  on $LAN reply-to ( bge1 10.112.35.14 )  from  $intranet to any keep state  label "USER_RULE: Default allow LAN to any rule"

VPN Rules

package manager late specific hook

anchor "packagelate"

anchor "limitingesr"

uPnPd

anchor "miniupnpd"</bogons></bogons></virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></direct_networks></sshlockout></intranet></intranet></igor></igor></drucker></drucker>

Any help appreciated, at the moment i'm completly lost in space…

_igor_

Differences between working 1.3.2 and actual 2.0 firmware

1.3.2 routing table:

Destination Gateway Flags Refs Use Mtu Netif Expire
default      195.14.226.5         UGS  0 8090942 1492 ng0
10.112.35.0/27   link#1                 UC    0 0      1500 em0
10.112.35.2 00:23:32:9e:c4:74 UHLW 1 47043 1500 em0 759
10.112.35.3 00:11:24:e6:45:80 UHLW 1 132  1500 em0 769
10.112.35.6 00:1e:58:48:3d:9e UHLW 1 2633  1500 em0 1167
10.112.35.12 00:18:f8:13:71:46 UHLW 1 1      1500 em0 993
87.79.167.226   lo0                         UHS  0 0      16384 lo0
127.0.0.1         127.0.0.1                 UH    0 0         16384 lo0
195.14.226.5 87.79.167.226         UH    1 2430 1492 ng0

2.0 routing-table:
default         195.14.226.5       UGS    0 55    1492        pppoe0
10.112.35.0/27   link#3               U         6 208 1500         bge1
10.112.35.13   link#3               UHS         0 45 16384 lo0
87.79.58.31   link#8               UHS         0 0 16384 lo0
127.0.0.1           link#5               UH         0 52 16384 lo0
127.0.0.2         127.0.0.1               UHS         0 0 16384 lo0
195.14.226.5   link#8               UH         0 45 1492 pppoe0

What are this links meaning? Looking at 1.3.2 i see only one link, on 2.0 lots of this links with strange numbers.