On 11/01/15 11:51, Marco Prause wrote: > Hi Piotr, > > just a guess, but you might hit some path mtu discovery issue. > On customer paths with e.g. mtu less than 1500 it should help to > discover the minimal mtu and while blocking the don't fragment bit, > which is used for pmtud, pmtud won't work. > > In your case the redirect answer would fit in the maybe decreased mtu, > but the "website" won't. > > Hope my guess was right. But it sounds like an often seen issue - often > in conjunction with vpns. > > > Regards, > Marco > > Am 31. Oktober 2015 22:50:31 MEZ, schrieb Piotr Kubaj <pku...@riseup.net>: > > Hi, > > I'm using OpenBSD 5.8 on a Ubiquiti Edgerouter Lite. It works great, > apart from my customers reported that some websites don't work for them > (I've verified that it's true). > > My /etc/pf.conf is: > int_if="{ vether0 cnmac1 cnmac2 }" > broken="224.0.0.22 <http://224.0.0.22> 127.0.0.0/8 <http://127.0.0.0/8> 192.168.0.0/16 <http://192.168.0.0/16> 172.16.0.0/12 <http://172.16.0.0/12> \ > 10.0.0.0/8 <http://10.0.0.0/8> 169.254.0.0/16 <http://169.254.0.0/16> 192.0.2.0/24 <http://192.0.2.0/24> \ > 198.51.100.0/24 <http://198.51.100.0/24>, 203.0.113.0/24 <http://203.0.113.0/24>, \ > 169.254.0.0/16 <http://169.254.0.0/16> 0.0.0.0/8 240.0.0.0/4 <http://240.0.0.0/4> 255.255.255.255/32 <http://255.255.255.255/32>" > set block-policy drop > set loginterface > egress > set skip on lo0 > match in all scrub (no-df random-id max-mss 1440) > match out on egress inet from !(egress:network) to any nat-to (egress:0) > antispoof quick for (egress) > block in quick on egress from { $broken no-route urpf-failed } to any > block in quick inet6 all > block return out quick inet6 all > block return out quick log on egress proto { tcp udp } from any to any > port 53 > block return out quick log on egress from any to { no-route $broken } > block in all > pass out quick inet keep state > pass in on $int_if inet keep state > pass on $int_if from any to { 224.0.0.2 <http://224.0.0.2>, 239.0.0.0/8 <http://239.0.0.0/8> } > pass in on $int_if inet proto { tcp udp } from any to ! 192.168.1.1 <http://192.168.1.1> port > 53 rdr-to 192.168.1.1 <http://192.168.1.1> > pass in quick on $int_if proto udp from any to ! 192.168.1.1 <http://192.168.1.1> port > 123 > rdr-to 192.168.1.1 <http://192.168.1.1> > pass in on egress inet proto tcp to (egress) port 2501 rdr-to > 192.168.1.2 <http://192.168.1.2> port 22 > pass in on egress inet proto tcp from any to (egress) port 2500 > pass in on egress inet proto tcp from any to (egress) port 9001 > pass in on egress inet proto tcp from any to (egress) port 9030 > > > > > > > The sites in question are nk.pl <http://nk.pl> (loads once in a while), cyberbaba.pl <http://cyberbaba.pl> > and phoronix.com <http://phoronix.com>. They all send 301 redirection and that's it. > Any ideas what might cause it? > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] > > > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail > gesendet. Thanks, but I guess it's not caused by blocking DF fragment. I've cleared the whole /etc/pf.conf and left only. Since you've mentioned MTU, I've read a bit about it and PPPoE (I need it for WAN) and found that I need to add: match on pppoe0 scrub (max-mss 1440) to /etc/pf.conf. Thanks!
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]