openbsd :: UNIX :: Компьютерный форум Ru.Board

Проблема следующая. Инет от прова статика. шлюз прекрасно все пингует. Задача дать доступ рабочим станциям в инет. Вот мой конфиг.
ext_if="re0"
int_if="vr0"
set skip on lo
match out on $ext_if inet from $int_if:network to any nat-to ($ext_if:0)
таблица маршрутизации.
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 84.253.86.153 GS 8 4179 - 8 re0
84.253.86.152/30 link#1 C 2 0 - 4 re0
84.253.86.153 00:0f:23:93:0f:1b HLc 1 0 - 4 re0
84.253.86.155 link#1 HLc 1 48 - 4 re0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 165 33200 4 lo0
192.168.1/24 link#2 UC 3 0 - 4 vr0
192.168.1.1 00:26:5a:06:2f:65 UHLc 1 56 - 4 lo0
192.168.1.11 00:1f:d0:c9:02:8f UHLc 2 238 - 4 vr0
192.168.1.255 link#2 UHLc 2 47 - 4 vr0
192.168.2/24 link#3 C 1 0 - 4 vr1
192.168.2.255 link#3 HLc 2 47 - 4 vr1
224/4 127.0.0.1 URS 0 0 33200 8 lo0

Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 - 8 lo0
::/96 ::1 UGRS 0 0 - 8 lo0
::1 ::1 UH 14 0 33200 4 lo0
::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0
2002::/24 ::1 UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0
2002:e000::/20 ::1 UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0
fe80::/10 ::1 UGRS 0 0 - 8 lo0
fe80::%re0/64 link#1 C 0 0 - 4 re0
fe80::226:18ff:fed3:9c1a%re0 00:26:18:d3:9c:1a UHL 0 0 - 4 lo0
fe80::%vr0/64 link#2 UC 0 0 - 4 vr0
fe80::226:5aff:fe06:2f65%vr0 00:26:5a:06:2f:65 UHL 0 0 - 4 lo0
fe80::%vr1/64 link#3 C 0 0 - 4 vr1
fe80::226:5aff:fe06:2dee%vr1 00:26:5a:06:2d:ee HL 0 0 - 4 lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0
fe80::1%lo0 link#5 UHL 0 0 - 4 lo0
fec0::/10 ::1 UGRS 0 0 - 8 lo0
ff01::/16 ::1 UGRS 0 0 - 8 lo0
ff01::%re0/32 link#1 C 0 0 - 4 re0
ff01::%vr0/32 link#2 UC 0 0 - 4 vr0
ff01::%vr1/32 link#3 C 0 0 - 4 vr1
ff01::%lo0/32 ::1 UC 0 0 - 4 lo0
ff02::/16 ::1 UGRS 0 0 - 8 lo0
ff02::%re0/32 link#1 C 0 0 - 4 re0
ff02::%vr0/32 link#2 UC 0 0 - 4 vr0
ff02::%vr1/32 link#3 C 0 0 - 4 vr1
ff02::%lo0/32 ::1 UC 0 0 - 4 lo0

С локальных машин пинг не идет. точнее ситуация такова. локальные машины доменное имя яндекс и его ип видят а вот пинг не проходит. внешний интерфейс шлюза рабочие станции пингуют.

ввод комманд,
bash-4.0# pfctl -f /etc/pf.conf
bash-4.0# ping ya.ru
PING ya.ru (93.158.134.3): 56 data bytes
64 bytes from 93.158.134.3: icmp_seq=0 ttl=61 time=3.282 ms
64 bytes from 93.158.134.3: icmp_seq=1 ttl=61 time=3.275 ms
--- ya.ru ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.275/3.278/3.282/0.057 ms
bash-4.0# tcpdump -i re0
tcpdump: listening on re0, link-type EN10MB
18:12:18.929882 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:19.056186 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:19.059109 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:19.898560 c154-86.ntt.ru.36250 > 195.28.32.3.domain: 61753+ PTR? 37.60.128.195.in-addr.arpa. (44)
18:12:20.068325 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:20.072131 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:20.116597 c154-86.ntt.ru.16279 > 195.28.32.3.domain: 49724+ AAAA? 127.0.0.1. (27)
18:12:20.118990 195.28.32.3.domain > c154-86.ntt.ru.16279: 49724 NXDomain* 0/1/0 (102)
18:12:20.119211 c154-86.ntt.ru.4614 > 195.28.32.3.domain: 55809+ AAAA? 127.0.0.1.fullstreets.ru. (42)
18:12:20.121258 195.28.32.3.domain > c154-86.ntt.ru.4614: 55809 NXDomain* 0/1/0 (100)
18:12:20.121440 c154-86.ntt.ru.29804 > 195.28.32.3.domain: 52576+ AAAA? 127.0.0.1. (27)
18:12:20.123605 195.28.32.3.domain > c154-86.ntt.ru.29804: 52576 NXDomain* 0/1/0 (102)
18:12:20.123678 c154-86.ntt.ru.13374 > 195.28.32.3.domain: 48840+ AAAA? 127.0.0.1.fullstreets.ru. (42)
18:12:20.125740 195.28.32.3.domain > c154-86.ntt.ru.13374: 48840 NXDomain* 0/1/0 (100)
18:12:20.405203 195.28.32.3.domain > c154-86.ntt.ru.36250: 61753 NXDomain* 0/1/0 (94)
18:12:20.405566 c154-86.ntt.ru.7269 > 195.28.32.3.domain: 54835+ PTR? 154.86.253.84.in-addr.arpa. (44)
18:12:20.407742 195.28.32.3.domain > c154-86.ntt.ru.7269: 54835* 1/2/2 PTR c154-86.ntt.ru. (139)
18:12:21.080532 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:21.083540 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:22.093822 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:22.097747 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:22.428435 76.11.126.99.61975 > c154-86.ntt.ru.18939: udp 103
18:12:22.428466 c154-86.ntt.ru > 76.11.126.99: icmp: c154-86.ntt.ru udp port 18939 unreachable
18:12:23.104841 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:23.107875 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:24.117000 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:24.120363 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:24.430097 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:25.129255 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:25.132382 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
18:12:26.141054 c154-86.ntt.ru > 77.88.21.3: icmp: echo request
18:12:26.144477 77.88.21.3 > c154-86.ntt.ru: icmp: echo reply
^C
32 packets received by filter
0 packets dropped by kernel
You have new mail in /var/mail/root
bash-4.0# tcpdump -i vr0
tcpdump: listening on vr0, link-type EN10MB
18:12:37.230061 192.168.1.1.ssh > 192.168.1.11.1089: P 424954369:424954453(84) ack 1838470197 win 17520 (DF) [tos 0x10]
18:12:37.230641 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 84 win 65535 (DF)
18:12:37.277337 192.168.1.1.ssh > 192.168.1.11.1079: P 2158184528:2158184628(100) ack 2080860177 win 17520 (DF) [tos 0x8]
18:12:37.397694 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 100 win 64835 (DF)
18:12:38.289382 192.168.1.1.ssh > 192.168.1.11.1079: P 100:200(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:38.299438 192.168.1.1.ssh > 192.168.1.11.1089: P 84:248(164) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.299473 192.168.1.1.ssh > 192.168.1.11.1089: P 248:492(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.299501 192.168.1.1.ssh > 192.168.1.11.1089: P 492:720(228) ack 1 win 17520 (DF) [tos 0x10]
18:12:38.300079 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 492 win 65127 (DF)
18:12:38.491471 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 200 win 64735 (DF)
18:12:38.491485 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 720 win 64899 (DF)
18:12:39.298546 192.168.1.1.ssh > 192.168.1.11.1089: P 720:1300(580) ack 1 win 17520 (DF) [tos 0x10]
18:12:39.301586 192.168.1.1.ssh > 192.168.1.11.1079: P 200:300(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:39.475872 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 1300 win 64319 (DF)
18:12:39.475886 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 300 win 64635 (DF)
18:12:40.300552 192.168.1.1.ssh > 192.168.1.11.1089: P 1300:1544(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:40.300608 192.168.1.1.ssh > 192.168.1.11.1089: P 1544:1756(212) ack 1 win 17520 (DF) [tos 0x10]
18:12:40.301214 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 1756 win 65535 (DF)
18:12:40.313441 192.168.1.1.ssh > 192.168.1.11.1079: P 300:400(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:40.460271 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 400 win 64535 (DF)
18:12:40.929074 192.168.1.11 > 195.128.60.37: icmp: echo request
18:12:41.302696 192.168.1.1.ssh > 192.168.1.11.1089: P 1756:2000(244) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.302761 192.168.1.1.ssh > 192.168.1.11.1089: P 2000:2308(308) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.303376 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2308 win 64983 (DF)
18:12:41.305158 192.168.1.1.ssh > 192.168.1.11.1089: P 2308:2424(116) ack 1 win 17520 (DF) [tos 0x10]
18:12:41.325984 192.168.1.1.ssh > 192.168.1.11.1079: P 400:500(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:41.444669 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 500 win 64435 (DF)
18:12:41.444684 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2424 win 64867 (DF)
18:12:42.304824 192.168.1.1.ssh > 192.168.1.11.1089: P 2424:2572(148) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304885 192.168.1.1.ssh > 192.168.1.11.1089: P 2572:2896(324) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304916 192.168.1.1.ssh > 192.168.1.11.1089: P 2896:3124(228) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.304942 192.168.1.1.ssh > 192.168.1.11.1089: P 3124:3256(132) ack 1 win 17520 (DF) [tos 0x10]
18:12:42.305460 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 2896 win 64395 (DF)
18:12:42.305481 192.168.1.11.1089 > 192.168.1.1.ssh: . ack 3256 win 65535 (DF)
18:12:42.338224 192.168.1.1.ssh > 192.168.1.11.1079: P 500:600(100) ack 1 win 17520 (DF) [tos 0x8]
18:12:42.538442 192.168.1.11.1079 > 192.168.1.1.ssh: . ack 600 win 64335 (DF)
^C
46 packets received by filter
0 packets dropped by kernel
bash-4.0# pfctl -s rules
match out on re0 inet from 192.168.1.0/24 to any nat-to (re0) round-robin
bash-4.0# ^C
bash-4.0# ping 195.128.60.37
PING 195.128.60.37 (195.128.60.37): 56 data bytes
64 bytes from 195.128.60.37: icmp_seq=0 ttl=60 time=3.777 ms
64 bytes from 195.128.60.37: icmp_seq=1 ttl=60 time=5.983 ms
64 bytes from 195.128.60.37: icmp_seq=2 ttl=60 time=3.657 ms
--- 195.128.60.37 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.657/4.472/5.983/1.070 ms

форвардинг.
sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

cat /etc/rc.conf | grep pf.conf

ospfd_flags=no # for normal use
ospf6d_flags=no # for normal use
pf=YES # Packet filter / NAT
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags # add more ie. " -s 256"

Модерирует : ShriEkeR
Версия для печати • Подписаться • Добавить в закладки