ICMP packets dropped for no obvious reason

Sun, 19 Jul 2020 11:01:06 -0700 

Hi friends,

An OpenBSD 6.7 router was rebooted recently and for some reason DHCP and
perhaps other services are no longer working. It is possible that this was a
result of running syspatch, which installed patches 10-12. But those patches
all seem to be unrelated.

The router has interfaces ix0 through ix3. I am seeing the problem on ix1 (
AP ) but not ix0 ( LAN ) or ix3 ( WAN ). There is no traffic on ix2.

I have reduced it down to a simple example of  not being able to pass in an
echo response on ix1 with these simplified rules:


ApIf ="ix1"

block return in log on $ApIf

pass in log quick on $ApIf \
        inet proto icmp all \
        label "AP ICMP ALL"

I started tcpdump to watch ICMP traffic on ix1. Then from the machine
running PF, ping an IP and see that responses are hitting the interface:

/root >> tcpdump -i ix1 icmp 
tcpdump: listening on ix1, link-type EN10MB
07:28:15.917730 192.168.2.1 > 192.168.2.5: icmp: echo request
07:28:15.918273 192.168.2.5 > 192.168.2.1: icmp: echo reply
07:28:15.918350 192.168.2.1 > 192.168.2.5: icmp: 192.168.2.1 protocol 1 port
11584 unreachable
07:28:16.922060 192.168.2.1 > 192.168.2.5: icmp: echo request
07:28:16.922443 192.168.2.5 > 192.168.2.1: icmp: echo reply
07:28:16.922505 192.168.2.1 > 192.168.2.5: icmp: 192.168.2.1 protocol 1 port
56363 unreachable
07:28:17.912072 192.168.2.1 > 192.168.2.5: icmp: echo request
07:28:17.912588 192.168.2.5 > 192.168.2.1: icmp: echo reply
07:28:17.912652 192.168.2.1 > 192.168.2.5: icmp: 192.168.2.1 protocol 1 port
42489 unreachable

The unreachable message is confirmed by pflog0. I used " pfctl -vs rules"
and observed that the pass in rule is getting evaluated with each reply, but
never matches.

I can also confirm that ix1 really does have the address 192.168.2.1

ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr ac:1f:6b:b1:c5:95
        description: Access point(s)
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

Does anyone see what might be going wrong ?

George

Reply via email to