Re: Anyone can't access bsdly.net like I did? (and some other sites)
Peter N. M. Hansteen wrote: > Thanks for reporting this. I hope it's a temporary routing problem > that will just disappear soon. By way of debugging, traceroute from > here seems to try to take a scenic route to your subnet before ending > up disallowed: FWIW Telia-Sonera was down for the count in Finland for about 24 hours from sometime after midnight Sun/Mon. I didn't get more info, but it could be that the problem spread to /came from other areas. -Lars
Re: Anyone can't access bsdly.net like I did? (and some other sites)
On 2008-09-16, Insan Praja SW <[EMAIL PROTECTED]> wrote: > I got 2 upstreams, when I start prepending my ASNumber to my one of my > upstream, I can magically access www.bsdly.net :D, even without > prepending, in/out to your net is only using 1 upstream. So, it must be > something on the other side. All my routers are openbsd 4.4-current, armed > with BGPd and PF enabled. This may got something todo with stateful nature > of PF, which I'm trying to manage :D Very likely. I'm just using very simple PF rules on my border routers, just a few block rules to keep some junk off the network and for anti- spoofing, then stateless pass rules for the rest. I don't think of this as firewalling, I have separate machines to do that, and I make sure the routing to those is symmetric (using ospfd to announce the networks on carp interfaces). I tried to make some ascii art to demonstrate this, but I knew things were going wrong when I started trying to draw a cloud... If you turn off your prepends and run tcpdump on your routers, you'll probably see that traffic for bsdly.net goes out of one router, and the return traffic comes via another. That ties in with traceroute working and TCP not working.
Sloppy States [WAS: Re: Anyone can't access bsdly.net like I did? (and some other sites)]
On Tue, 16 Sep 2008 12:01:58 +0700, Constantine A. Murenin <[EMAIL PROTECTED]> wrote: 2008/9/16 Insan Praja SW <[EMAIL PROTECTED]>: On Tue, 16 Sep 2008 04:27:00 +0700, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote: "Insan Praja SW" <[EMAIL PROTECTED]> writes: My company recently bought 202[dot]90[dot]194[dot]0/23 IPs, and since we start using this IPs, I can't access www.bsdly.net and several others site on the net. Thanks for reporting this. I hope it's a temporary routing problem that will just disappear soon. By way of debugging, traceroute from here seems to try to take a scenic route to your subnet before ending up disallowed: [EMAIL PROTECTED]:~$ traceroute -I 202.90.194.1 traceroute to 202.90.194.1 (202.90.194.1), 64 hops max, 60 byte packets 1 10.168.103.1 (10.168.103.1) 17.277 ms 0.960 ms 1.41 ms 2 213-187-179-197.dd.nextgentel.com (213.187.179.197) 19.26 ms 98.506 ms 99.858 ms 3 1.80-202-103.nextgentel.com (80.202.103.1) 15.629 ms 15.913 ms 15.874 ms 4 217-13-1-194.dd.nextgentel.com (217.13.1.194) 32.901 ms 23.91 ms 22.110 ms 5 80-202-2-74.dd.nextgentel.com (80.202.2.74) 22.41 ms 30.594 ms 22.997 ms 6 * * * 7 oso-b2-link.telia.net (213.248.92.57) 39.839 ms 32.912 ms 49.572 ms 8 kbn-bb2-link.telia.net (80.91.250.117) 42.493 ms 47.849 ms 30.725 ms 9 hbg-bb2-pos5-0-0.telia.net (213.248.65.125) 42.64 ms 34.820 ms 52.735 ms 10 ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 44.386 ms ffm-bb2-link.telia.net (80.91.248.85) 54.624 ms ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 51.565 ms 11 ffm-b3-link.telia.net (80.91.249.141) 49.492 ms 53.717 ms 45.759 ms 12 france-telecom-119877-ffm-b3.telia.net (213.248.77.206) 55.374 ms 46.38 ms 56.170 ms 13 * * * 14 * * * 15 * * * 16 202.188.139.165 (202.188.139.165) 360.863 ms 343.342 ms 343.545 ms 17 219.93.174.81 (219.93.174.81) 344.32 ms 361.180 ms 344.423 ms 18 58.27.124.57 (58.27.124.57) 337.910 ms 339.586 ms 337.497 ms 19 58.27.113.4 (58.27.113.4) 353.673 ms 353.621 ms 353.515 ms 20 219.94.12.141 (219.94.12.141) 364.484 ms 471.982 ms 354.163 ms 21 210.187.143.1 (210.187.143.1) 344.819 ms 343.707 ms 343.652 ms 22 202.188.224.118 (202.188.224.118) 353.726 ms 359.527 ms 354.379 ms 23 brf-backbone02-ether0-0.tm.net.my (202.188.0.8) 339.18 ms 337.942 ms 337.610 ms 24 58.26.88.6 (58.26.88.6) 636.253 ms 379.711 ms 381.87 ms 25 * * * 26 host67-123.cust.sat.net.id (202.149.67.123) 390.556 ms 382.394 ms 385.217 ms 27 * * * 28 * * * 29 * host67-123.cust.sat.net.id (202.149.67.123) 429.645 ms !H 394.636 ms !H A traceroute from your end would likely be useful at this point. bsdly.net unfortunately is not alone in our local /24, and it wouldn't surprise me overmuch if a "we-blacklist-/24s-and-/16s-because-we-can" operation is part of the problem. If it doesn't blow over automagically, I likely need to spend some time on this. Thanks, Peter Hi Peter, $ traceroute www.bsdly.net traceroute to www.bsdly.net (213.187.179.198), 64 hops max, 40 byte packets 1 core1-router (202.90.194.2) 3.408 ms 0.896 ms 2.939 ms 2 202.149.95.69 (202.149.95.69) 6.388 ms 7.522 ms 6.905 ms 3 bb-1.nx.satata.net (202.149.94.232) 5.890 ms 7.859 ms 7.434 ms 4 58.26.88.5 (58.26.88.5) 38.867 ms 35.405 ms 33.918 ms 5 219.93.151.211 (219.93.151.211) 33.849 ms 219.93.151.227 (219.93.151.227)35.520 ms 219.93.151.211 (219.93.151.211) 35.670 ms 6 if-7-3.mcore4.LAA-LosAngeles.as6453.net (216.6.85.37) 227.272 ms 226.752 m s 224.802 ms 7 Vlan77.icore1.LAA-LosAngeles.as6453.net (216.6.85.46) 224.232 ms 232.287 m s 233.779 ms 8 las-bb1-pos2-3-3.telia.net (213.248.94.49) 280.720 ms 274.574 ms 257.230 ms 9 nyk-bb1-link.telia.net (80.91.252.226) 318.744 ms 318.127 ms 318.268 ms 10 kbn-bb1-pos1-3-0.telia.net (213.248.64.21) 340.139 ms 339.660 ms 339.716 ms 11 oso-b2-link.telia.net (80.91.254.234) 333.682 ms 334.749 ms 333.725 ms 12 * nextgentel-ic-118934-oso-b3.c.telia.net (80.239.193.94) 338.705 ms 338.5 ms 13 217-13-1-193.dd.nextgentel.com (217.13.1.193) 349.121 ms 348.724 ms 348.225 ms 14 213-187-179-197.dd.nextgentel.com (213.187.179.197) 451.616 ms 399.687 ms 400.194 ms 15 skapet.bsdly.net (213.187.179.198) 363.203 ms 362.121 ms 363.217 ms I got 2 upstreams, when I start prepending my ASNumber to my one of my upstream, I can magically access www.bsdly.net :D, even without prepending, in/out to your net is only using 1 upstream. So, it must be something on the other side. All my routers are openbsd 4.4-current, armed with BGPd and PF enabled. This may got something todo with stateful nature of PF, which I'm I think you might find PF's 'sloppy'
Re: Anyone can't access bsdly.net like I did? (and some other sites)
On Tue, 16 Sep 2008 04:27:00 +0700, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote: "Insan Praja SW" <[EMAIL PROTECTED]> writes: My company recently bought 202[dot]90[dot]194[dot]0/23 IPs, and since we start using this IPs, I can't access www.bsdly.net and several others site on the net. Thanks for reporting this. I hope it's a temporary routing problem that will just disappear soon. By way of debugging, traceroute from here seems to try to take a scenic route to your subnet before ending up disallowed: [EMAIL PROTECTED]:~$ traceroute -I 202.90.194.1 traceroute to 202.90.194.1 (202.90.194.1), 64 hops max, 60 byte packets 1 10.168.103.1 (10.168.103.1) 17.277 ms 0.960 ms 1.41 ms 2 213-187-179-197.dd.nextgentel.com (213.187.179.197) 19.26 ms 98.506 ms 99.858 ms 3 1.80-202-103.nextgentel.com (80.202.103.1) 15.629 ms 15.913 ms 15.874 ms 4 217-13-1-194.dd.nextgentel.com (217.13.1.194) 32.901 ms 23.91 ms 22.110 ms 5 80-202-2-74.dd.nextgentel.com (80.202.2.74) 22.41 ms 30.594 ms 22.997 ms 6 * * * 7 oso-b2-link.telia.net (213.248.92.57) 39.839 ms 32.912 ms 49.572 ms 8 kbn-bb2-link.telia.net (80.91.250.117) 42.493 ms 47.849 ms 30.725 ms 9 hbg-bb2-pos5-0-0.telia.net (213.248.65.125) 42.64 ms 34.820 ms 52.735 ms 10 ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 44.386 ms ffm-bb2-link.telia.net (80.91.248.85) 54.624 ms ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 51.565 ms 11 ffm-b3-link.telia.net (80.91.249.141) 49.492 ms 53.717 ms 45.759 ms 12 france-telecom-119877-ffm-b3.telia.net (213.248.77.206) 55.374 ms 46.38 ms 56.170 ms 13 * * * 14 * * * 15 * * * 16 202.188.139.165 (202.188.139.165) 360.863 ms 343.342 ms 343.545 ms 17 219.93.174.81 (219.93.174.81) 344.32 ms 361.180 ms 344.423 ms 18 58.27.124.57 (58.27.124.57) 337.910 ms 339.586 ms 337.497 ms 19 58.27.113.4 (58.27.113.4) 353.673 ms 353.621 ms 353.515 ms 20 219.94.12.141 (219.94.12.141) 364.484 ms 471.982 ms 354.163 ms 21 210.187.143.1 (210.187.143.1) 344.819 ms 343.707 ms 343.652 ms 22 202.188.224.118 (202.188.224.118) 353.726 ms 359.527 ms 354.379 ms 23 brf-backbone02-ether0-0.tm.net.my (202.188.0.8) 339.18 ms 337.942 ms 337.610 ms 24 58.26.88.6 (58.26.88.6) 636.253 ms 379.711 ms 381.87 ms 25 * * * 26 host67-123.cust.sat.net.id (202.149.67.123) 390.556 ms 382.394 ms 385.217 ms 27 * * * 28 * * * 29 * host67-123.cust.sat.net.id (202.149.67.123) 429.645 ms !H 394.636 ms !H A traceroute from your end would likely be useful at this point. bsdly.net unfortunately is not alone in our local /24, and it wouldn't surprise me overmuch if a "we-blacklist-/24s-and-/16s-because-we-can" operation is part of the problem. If it doesn't blow over automagically, I likely need to spend some time on this. Thanks, Peter Hi Peter, $ traceroute www.bsdly.net traceroute to www.bsdly.net (213.187.179.198), 64 hops max, 40 byte packets 1 core1-router (202.90.194.2) 3.408 ms 0.896 ms 2.939 ms 2 202.149.95.69 (202.149.95.69) 6.388 ms 7.522 ms 6.905 ms 3 bb-1.nx.satata.net (202.149.94.232) 5.890 ms 7.859 ms 7.434 ms 4 58.26.88.5 (58.26.88.5) 38.867 ms 35.405 ms 33.918 ms 5 219.93.151.211 (219.93.151.211) 33.849 ms 219.93.151.227 (219.93.151.227)35.520 ms 219.93.151.211 (219.93.151.211) 35.670 ms 6 if-7-3.mcore4.LAA-LosAngeles.as6453.net (216.6.85.37) 227.272 ms 226.752 m s 224.802 ms 7 Vlan77.icore1.LAA-LosAngeles.as6453.net (216.6.85.46) 224.232 ms 232.287 m s 233.779 ms 8 las-bb1-pos2-3-3.telia.net (213.248.94.49) 280.720 ms 274.574 ms 257.230 ms 9 nyk-bb1-link.telia.net (80.91.252.226) 318.744 ms 318.127 ms 318.268 ms 10 kbn-bb1-pos1-3-0.telia.net (213.248.64.21) 340.139 ms 339.660 ms 339.716 ms 11 oso-b2-link.telia.net (80.91.254.234) 333.682 ms 334.749 ms 333.725 ms 12 * nextgentel-ic-118934-oso-b3.c.telia.net (80.239.193.94) 338.705 ms 338.5 ms 13 217-13-1-193.dd.nextgentel.com (217.13.1.193) 349.121 ms 348.724 ms 348.225 ms 14 213-187-179-197.dd.nextgentel.com (213.187.179.197) 451.616 ms 399.687 ms 400.194 ms 15 skapet.bsdly.net (213.187.179.198) 363.203 ms 362.121 ms 363.217 ms I got 2 upstreams, when I start prepending my ASNumber to my one of my upstream, I can magically access www.bsdly.net :D, even without prepending, in/out to your net is only using 1 upstream. So, it must be something on the other side. All my routers are openbsd 4.4-current, armed with BGPd and PF enabled. This may got something todo with stateful nature of PF, which I'm trying to manage :D Thanks, Insan -- insandotpraja(at)gmaildotcom
Re: Anyone can't access bsdly.net like I did? (and some other sites)
"Insan Praja SW" <[EMAIL PROTECTED]> writes: > My company recently bought 202[dot]90[dot]194[dot]0/23 IPs, and since > we start using this IPs, I can't access www.bsdly.net and several > others site on the net. Thanks for reporting this. I hope it's a temporary routing problem that will just disappear soon. By way of debugging, traceroute from here seems to try to take a scenic route to your subnet before ending up disallowed: [EMAIL PROTECTED]:~$ traceroute -I 202.90.194.1 traceroute to 202.90.194.1 (202.90.194.1), 64 hops max, 60 byte packets 1 10.168.103.1 (10.168.103.1) 17.277 ms 0.960 ms 1.41 ms 2 213-187-179-197.dd.nextgentel.com (213.187.179.197) 19.26 ms 98.506 ms 99.858 ms 3 1.80-202-103.nextgentel.com (80.202.103.1) 15.629 ms 15.913 ms 15.874 ms 4 217-13-1-194.dd.nextgentel.com (217.13.1.194) 32.901 ms 23.91 ms 22.110 ms 5 80-202-2-74.dd.nextgentel.com (80.202.2.74) 22.41 ms 30.594 ms 22.997 ms 6 * * * 7 oso-b2-link.telia.net (213.248.92.57) 39.839 ms 32.912 ms 49.572 ms 8 kbn-bb2-link.telia.net (80.91.250.117) 42.493 ms 47.849 ms 30.725 ms 9 hbg-bb2-pos5-0-0.telia.net (213.248.65.125) 42.64 ms 34.820 ms 52.735 ms 10 ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 44.386 ms ffm-bb2-link.telia.net (80.91.248.85) 54.624 ms ffm-bb2-pos7-0-0.telia.net (213.248.65.121) 51.565 ms 11 ffm-b3-link.telia.net (80.91.249.141) 49.492 ms 53.717 ms 45.759 ms 12 france-telecom-119877-ffm-b3.telia.net (213.248.77.206) 55.374 ms 46.38 ms 56.170 ms 13 * * * 14 * * * 15 * * * 16 202.188.139.165 (202.188.139.165) 360.863 ms 343.342 ms 343.545 ms 17 219.93.174.81 (219.93.174.81) 344.32 ms 361.180 ms 344.423 ms 18 58.27.124.57 (58.27.124.57) 337.910 ms 339.586 ms 337.497 ms 19 58.27.113.4 (58.27.113.4) 353.673 ms 353.621 ms 353.515 ms 20 219.94.12.141 (219.94.12.141) 364.484 ms 471.982 ms 354.163 ms 21 210.187.143.1 (210.187.143.1) 344.819 ms 343.707 ms 343.652 ms 22 202.188.224.118 (202.188.224.118) 353.726 ms 359.527 ms 354.379 ms 23 brf-backbone02-ether0-0.tm.net.my (202.188.0.8) 339.18 ms 337.942 ms 337.610 ms 24 58.26.88.6 (58.26.88.6) 636.253 ms 379.711 ms 381.87 ms 25 * * * 26 host67-123.cust.sat.net.id (202.149.67.123) 390.556 ms 382.394 ms 385.217 ms 27 * * * 28 * * * 29 * host67-123.cust.sat.net.id (202.149.67.123) 429.645 ms !H 394.636 ms !H A traceroute from your end would likely be useful at this point. bsdly.net unfortunately is not alone in our local /24, and it wouldn't surprise me overmuch if a "we-blacklist-/24s-and-/16s-because-we-can" operation is part of the problem. If it doesn't blow over automagically, I likely need to spend some time on this. Thanks, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Anyone can't access bsdly.net like I did? (and some other sites)
Hi Misc@, My company recently bought 202[dot]90[dot]194[dot]0/23 IPs, and since we start using this IPs, I can't access www.bsdly.net and several others site on the net. When check through robtex.com, a company in India seem to still include these IPs into their RADB database. I can't email them, browse their sites, maybe because of antispoof things. We asked our upstream to include this IPs to their radb accounts, but it seem nothing to changes, as we check to robtex.com, these IPs still originated as AS9829 route-object. But hey, I can still browse www.openbsd.org I really appreciate if anyone in the list could help me getting these IPs to be correctly accepted to browse the internet. Best Regards, Insan -- insandotpraja(at)gmaildotcom