On 11/01/15 11:51, Marco Prause wrote:
> Hi Piotr,
>
> just a guess, but you might hit some path mtu discovery issue.
> On customer paths with e.g. mtu less than 1500 it should help to
> discover the minimal mtu and while blocking the don't fragment bit,
> which is used for pmtud, pmtud won't work.
>
> In your case the redirect answer would fit in the maybe decreased mtu,
> but the "website" won't.
>
> Hope my guess was right. But it sounds like an often seen issue - often
> in conjunction with vpns.
>
>
> Regards,
> Marco
>
> Am 31. Oktober 2015 22:50:31 MEZ, schrieb Piotr Kubaj <pku...@riseup.net>:
>
> Hi,
>
> I'm using OpenBSD 5.8 on a Ubiquiti Edgerouter Lite. It works great,
> apart from my customers reported that some websites don't work for them
> (I've verified that it's true).
>
> My /etc/pf.conf is:
> int_if="{ vether0 cnmac1 cnmac2 }"
> broken="224.0.0.22 <http://224.0.0.22> 127.0.0.0/8 <http://127.0.0.0/8>
192.168.0.0/16 <http://192.168.0.0/16> 172.16.0.0/12 <http://172.16.0.0/12> \
> 10.0.0.0/8 <http://10.0.0.0/8> 169.254.0.0/16
<http://169.254.0.0/16> 192.0.2.0/24 <http://192.0.2.0/24> \
> 198.51.100.0/24 <http://198.51.100.0/24>, 203.0.113.0/24
<http://203.0.113.0/24>, \
> 169.254.0.0/16 <http://169.254.0.0/16> 0.0.0.0/8 240.0.0.0/4
<http://240.0.0.0/4> 255.255.255.255/32 <http://255.255.255.255/32>"
> set block-policy drop
> set loginterface
> egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to
(egress:0)
> antispoof quick for (egress)
> block in quick on egress from { $broken no-route urpf-failed } to any
> block in quick inet6 all
> block return out quick inet6 all
> block return out quick log on egress proto { tcp udp } from any to any
> port 53
> block return out quick log on egress from any to { no-route $broken }
> block in all
> pass out quick inet keep state
> pass in on $int_if inet keep state
> pass on $int_if from any to { 224.0.0.2 <http://224.0.0.2>, 239.0.0.0/8
<http://239.0.0.0/8> }
> pass in on $int_if inet proto { tcp udp } from any to ! 192.168.1.1
<http://192.168.1.1> port
> 53 rdr-to 192.168.1.1 <http://192.168.1.1>
> pass in quick on $int_if proto udp from any to ! 192.168.1.1
<http://192.168.1.1> port
> 123
> rdr-to 192.168.1.1 <http://192.168.1.1>
> pass in on egress inet proto tcp to (egress) port 2501 rdr-to
> 192.168.1.2 <http://192.168.1.2> port 22
> pass in on egress inet proto tcp from any to (egress) port 2500
> pass in on egress inet proto tcp from any to (egress) port 9001
> pass in on egress inet proto tcp from any to (egress) port 9030
>
>
>
>
>
>
> The sites in question are nk.pl <http://nk.pl> (loads once in a while),
cyberbaba.pl <http://cyberbaba.pl>
> and phoronix.com <http://phoronix.com>. They all send 301 redirection
and that's it.
> Any ideas what might cause it?
>
> [demime 1.01d removed an attachment of type application/pgp-signature
which had a name of signature.asc]
>
>
> --
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
> gesendet.
Thanks, but I guess it's not caused by blocking DF fragment. I've
cleared the whole /etc/pf.conf and left only. Since you've mentioned
MTU, I've read a bit about it and PPPoE (I need it for WAN) and found
that I need to add:
match on pppoe0 scrub (max-mss 1440)
to /etc/pf.conf. Thanks!
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
