Hulloo misc@,
I come for advice, because I am frankly out of my depth.
I have two firewalls, at two different sites, one (which I shall call
SE) running 4.0-RELEASE with GENERIC, and one called WM (being upgraded
over Christmas) on 3.8-RELEASE and GENERIC.
Behind them at each end there are file servers, running Debian.
The networking setups are somewhat complex, with the WM site having two
routers CARPing, and the SE site having two routers CARPing on vlan
interfaces.
SSH from one router works fine, in both directions, and I cannot find
any problems with it.
When I attempt from the file server at SE to the file server at WM,
tcpdump shows me that everything works fine until the SSH client does
'Key Exchange Init', at which point the ACKs become FIN,ACKs, the server
sends 'Previous segment lost', and then the server sends its own 'Key
Exchange Init', but its flagged as being a retransmission.
(Note: I have tcpdumps from both ends, which I will send out if asked,
but I am reluctant to post them as they are both large and non-IP-sanitised)
I suspect any of MTU isses, possible combined with the presence of
vlans, or perhaps the fact that we are doing nat'ed nat, because the
building server guys at the SE site will only hand out IPs in the 10./8
range, which they then point external IPs at.
If anyone has any ideas of where I should even start looking, they will
be digging me out of an immense hole and become gods in my eyes. Or
something. :-)
Useful info:
=
pf.conf from the WM site:
=
# Some definitions
int_if = "em0"
ext_if = "bge0"
sync_if = "bge1"
fileserver_ip="aaa.bbb.ccc.ddd"
office_net = "10.0.1.0/24"
switch_net = "10.0.2.0/24"
vpn_net = "10.0.3.0/24"
int_nets = "{ 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Scrub all incomming traffic
#scrub in all
# Perform nat on any internal traffic going outside
nat on bge0 from $office_net to any -> carp1:0
nat on bge0 from $vpn_net to any -> carp1:0
# File Server
rdr pass on $ext_if proto tcp from any to $fileserver_ip port 22 ->
10.0.1.7 port 22
# Start by denying all traffic
block all
# Don't apply any rules to the loopback interface
pass quick on lo0 all
# Block private subnets
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# Pass pfsync and carp protocols for failover
pass proto carp
pass proto pfsync
# Pass traffic on pfsync interface
pass on $sync_if
# Allow SSH from outside
pass in on $ext_if proto tcp from any to any port ssh
# Allow any traffic to flow out of the firewall to the external interface
pass out on $ext_if
# Allow all internal traffic in and out
pass in on $int_if
pass out on $int_if
# Allow ICMP traffic
pass in inet proto icmp all icmp-type echoreq keep state
# Allow internal traffic
pass in on $int_if from $int_nets to any keep state
pass in on $int_if from any to $int_nets keep state
# Keep state on related and extablished traffic back from the external
interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } keep state
pass in on $ext_if proto icmp keep state
===
pf.conf from SE router:
===
building_if="vlan0"
building_ip="ee.ff.gg.hh" # 10./8 address from building network
office_if="vlan1"
office_ip="10.0.4.254"
office_network="10.0.4.0/24"
vlan_if="bge1"
pfsync_if="bge0"
set skip on lo
#scrub in
#NAT
nat on $building_if from $office_network -> $building_ip
# Forward LDAPS to BDC
rdr pass on $building_if proto tcp from any to $building_ip port ldap ->
10.0.4.3 port ldap
rdr pass on $building_if proto tcp from any to $building_ip port 222 ->
10.0.4.3 port ssh
#FILTER
block all
# VLAN master interface
#block drop quick on $vlan_if
# Access to router from external
pass in on $building_if proto tcp from any to $building_ip port ssh
# Pass traffic
pass out on $building_if proto tcp all flags S/SA modulate state
pass out on $building_if proto udp all keep state
pass out on $building_if proto icmp all keep state
pass in on $building_if proto icmp all keep state
# Pass all on other interfaces
pass on $office_if
# Pass on pfsync link
pass quick on $pfsync_if
# CARP
pass proto carp
pass proto pfsync
===
That's about all I've got to go on, barring the tcpdumps, which I can
easily email to any who think they're relevant.
What am I missing guys? More importantly, which blindingly obvious
manpage entry did I miss?
Here's hoping someone has some inspiration before the customer goes nuts :-/
--
Richard 'Dave' Wilson
Systems Administrator
Senokian Solutions Ltd.
Business Innovation Centre,
Binley Business Park, Coventry,
United Kingdom
CV3 2TX
T: +44 (0)24 76 233 400
DDI: +44 (0)24 76 233 416
F: +44 (0)24 76 233 401
