Re: ip not forwarding after 4.0 rebuild.

[nuffnough]

On 14/11/06, Bob DeBolt <[EMAIL PROTECTED]> wrote:
>
> On Monday 13 November 2006 7:53 pm, you wrote:
>
> > But I don't know what I need to do differently to change the
> > situations.
>
> Is pf enabled and blocking perhaps?




Thanks for everyone's help.  It must have been something weird (like my
brain at 5 in the morning).  I've rebuilt the system now and it is working
great.

Re: ip not forwarding after 4.0 rebuild.

[Bob DeBolt]

On Monday 13 November 2006 7:53 pm, you wrote:

> But I don't know what I need to do differently to change the
> situations.

Is pf enabled and blocking perhaps?


Bob D

 

Re: ip not forwarding after 4.0 rebuild.

[nuffnough]

On 14/11/06, Pierre Lamy <[EMAIL PROTECTED]> wrote:
>
> You got link on the interface? Even if you do maybe the cable is bad.



I can ssh into the system using the local interface IP.   Once there I can
ping devices on all the networks,  including the internet.  Problem is that
no device on Network A can ping any device on Network A, but cannot ping
anything outside.

tcpdump traffic of any attempt to ping shows the traffic arriving on the
interface local to the device that is pinging,  but no traffic is seen on
the interface that is local to to destination device.

It isn't the cable.  I understand that this is odd,  that is why I am
turning to the list for help.  The setting to allow forwarding is turned
on,  sysctl shows the kernel knows this,  but still packets are not being
forwarded.  I will try another rebuild next,  because that doesn't take much
time.  But I don't know what I need to do differently to change the
situations.

Thanks for the reply.

nuffnough.

ip not forwarding after 4.0 rebuild.

[nuffnough]

I've been running 3.9 in a CARP pair for my firewalls.

So I upgrade the box(well,  rebuild it from scratch using the new CD),
and things seem fine on the first log in.  I fix up all the config
files, so that all the 3.9 settings are in place, and make sure to pay
attention to the settings that are new (like ipsec=NO in rc.conf).

I test a failover and find that the interfaces are failing over
individually.  So I check the sysctl.conf setting for carp preempt and
it is set to 1,  which is good.  But also a bit confusing.

A little more investigation and I find the system isn't forwarding
packets at all.  Despite the setting in sysctl.conf,  and also in the
kernel according to the sysctl command.  Check the
following console output:


# uname -a
OpenBSD nuffi.nough.com 4.0 GENERIC#1107 i386
# date
Tue Nov 14 02:01:52 EST 2006
# tcpdump -nettt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
^C
0 packets received by filter
0 packets dropped by kernel
# date
Tue Nov 14 02:03:29 EST 2006
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 1 -> 1
# sysctl net.inet.ip.forwarding=0
net.inet.ip.forwarding: 1 -> 0
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
# cat /etc/sysctl.conf | grep forward | grep -v 6
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1   # 1=Permit forwarding (routing) of IPv4
multicast packets
# sysctl net.inet.carp.preempt
net.inet.carp.preempt=1


tcpdump shows the phase 2 vpn traffic coming back into the box from the
peers on the external interface,  but none are properly established.

I thought that the only thing that I needed to turn on for packet
forwarding was that setting in sysctl.conf...  Is there something that
I am missing?

If a system you'd built was doing this,  what would you do next?


TIA


Nuffnough