List Info

Thread: NAT problem with pppoe
NAT problem with pppoe
user name
 2008-05-20 15:56:37 
Hi,

I suspect pf is caching invalid outdated dynamic addresses.
After this 
happens, all requests
sent from internal hosts are sent with the previous dynamic
address as 
source address and
are ignored by our provider. Requests sent directly from our
pf-box use 
the new dynamic
address as expected.

/etc/pf.conf

ext_if="tun0"
external_net="!192.168.0.0/16"

nat on $ext_if from !($ext_if) -> ($ext_if)

anchor portupgrade out on $ext_if
pass out on $ext_if from ($ext_if) to $external_net tagged
FORWARD
pass quick proto { tcp, udp } from $dns_server to
<dnsServer> port 
domain tag FORWARD

the anchor portupgrade is filled with the ppp-linkup script
(DNS0/1)

pass quick inet proto udp from (tun0) to 212.18.3.5 port =
domain keep 
state

Sending HUP to ppp does'nt eliminate the problem, pfctl
-d/-e and a 
restart of the
internal server solve it.

The pf-box uses freebsd 7.0 stable, usermode-ppp is used to
connect with 
the provider.

Any suggestions?

Thanks
Reinhard
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: NAT problem with pppoe
user name
 2008-05-21 03:40:00 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reinhard Haller <reinhard.hallerinteractive-net.de>
wrote:
>
> Sending HUP to ppp does'nt eliminate the problem, pfctl
-d/-e and a
> restart of the internal server solve it.

I suggest that your ppp "if_down" script make use
of the "pfctl -k"
command to kill state entries that have to do with the IP
that is being
removed.

- -- 
David DeSimone == Network Admin == foxverio.net
"This email message is intended for the use of the
person to whom
 it has been sent, and may contain information that is
confidential
 or legally protected.  If you are not the intended
recipient or have
 received this message in error, you are not authorized to
copy, dis-
 tribute, or otherwise use this message or its attachments. 
Please
 notify the sender immediately by return e-mail and
permanently delete
 this message and any attachments.  Verio, Inc. makes no
warranty that
 this email is error or virus free.  Thank you." 
--Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFIM9/gFSrKRjX5eCoRAjHFAJ9cP5HofxhWmLNKSdJu24bAKdEtXACf
fMr7
fxdCGLjx8AhS4NVw8foXUqY=
=FD6I
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: NAT problem with pppoe
user name
 2008-05-27 02:22:01 
Hi David,

David DeSimone schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Reinhard Haller <reinhard.hallerinteractive-net.de> wrote:
>  
>> Sending HUP to ppp does'nt eliminate the problem,
pfctl -d/-e and a
>> restart of the internal server solve it.
>>     
>
> I suggest that your ppp "if_down" script make
use of the "pfctl -k"
> command to kill state entries that have to do with the
IP that is being
> removed.
>   
16:45 linkdown: pfctl -k 88.217.34.98
16:45 linkup: myaddr=82.135.87.233
16:48 dns-request with 88.217.34.98 as source address to
212.18.0.5

our DNS queries from internal servers are still sent with
the old 
dynamic address as source address
where a local dig on the pf-box uses the new dynamic
address.

Any suggestions where to search?

Thanks
Reinhard

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )