OK - I think I made a mistake in setting up the ipsec-vpn, so ipfilter had nothing to do with it.
FYI: I did set up OSPF-routing thru the vpn tunnel and since the far side exports its connected routes, Opensolaris learned the peer-gateway-IP as reachable thru the tunnel. Once, OSPF-neighborhood got established and routes exchanged, Opensolaris didn't use it's static default route, but tried to use the OPSF-Route, which it couldn't use since it tried to send out the ESP-Packtes thru the tunnel.... I assumed that the static default route due to it's better metric would be preferred over the OSPF-Route, but I guess that Opensolaris utilized the OSPF route due to a more precise Netmask for the destination-IP. Every 40 Seconds, the OSPF route became invalid since the HELOS didn't get exchange due to the Hen+Egg Problem in the routing. In this stage, the default route was used, everything worked fine and - of course OSPF HELOS got exchanged again. For the time, it took Opensolaris to establish a valid OSPF route, everything was working fine.... I now set a static host route to the far side gateway which should defeat the ospf-route anyway and reachability between the two systems seem stable now. Sorry for keeping you busy - I'll now start with the real ipfilter stuff... Cheers, Kai -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Kai Krebber Gesendet: Montag, 10. Mai 2010 09:54 An: [email protected] Betreff: Re: [networking-discuss] ipfilter passes only 15% of the packets Sorry - forgot to mention: I'm using the latest stable Version 2009.06. -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Kai Krebber Gesendet: Montag, 10. Mai 2010 09:51 An: [email protected] Betreff: [networking-discuss] ipfilter passes only 15% of the packets Hi! I just started with ipfilter on opensolaris. I'm experiencing a (IMHO) strange behaviour: I am using Opensolaris as filtering router and for testing allowing traffic to a particular system: r...@kunde003-wan:/etc/ipf# ipfstat -io empty list for ipfilter(out) pass in log quick on wan3001 from 213.172.123.138/32 to 213.172.115.4/32 pass in log quick on wan3001 from 120.0.0.0/24 to 213.172.115.4/32 In conjunction with Nat, I can see about 14-15 icmp echo requests from 120.0.0.33 hitting 213.172.115.4 and then the next about 34-37 icmp echo requests get dropped by Opensolaris (the cycle repeats permanently with slightly varying numbers). Out of curiosity, I commented out the NAT rule and refreshed ipfilter. Now, no packets get routed to the target at all. I then re-enabled the nat rule and refreshed ipfilter. Still - no packets get routed to the target. What is causing this inconsistent behavior and how can I stabilize the functionality? Cheers, Kai _______________________________________________ networking-discuss mailing list [email protected] _______________________________________________ networking-discuss mailing list [email protected] _______________________________________________ networking-discuss mailing list [email protected] _______________________________________________ networking-discuss mailing list [email protected]
