User login

Poll

Window manager/desktop favorit?
KDE
10%
Gnome
45%
XFCE
30%
Enlightenment
0%
Blackbox, Fluxbox
15%
Windowmaker
0%
Altceva
0%
Total votes: 20

Partners

[banner]

[banner]

[banner]

Home » Forums » Discutii generale » Retele

no route to host

Submitted by aciu on Sat, 03/04/2006 - 07:38.

Se da un router cu OpenBSD 3.8, cu pf configurat minimal.

ext_if="dc0"
int_if="xl0"

tcp_services = "{22, 113}"
icmp_types = "echoreq"
priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"

#options
set block-policy return
#set loginterface $ext_if

#scrub
scrub in all

#nat/redirect
nat on $ext_if from $int_if:network to any ->$ext_if
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#filter rules
block all
pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services 
        flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy 
        flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state

setari in ordine in rc.conf, sysctl.conf, merge impecabil...pana la un moment, in care orice conexiune cade, si spre exterior si spre reteaua locala, ping imi spune
PING x.x.x.x (x.x.x.x): 56 data bytes
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
64 bytes from x.x.x.x: icmp_seq=7 ttl=255 time=0.684 ms
64 bytes from x.x.x.x icmp_seq=8 ttl=255 time=0.306 ms
Am schimbat calculatorul cu rol de router, am reinstalat OpenBSD, problema persista si deja devine stresanta...

‹ Default page legare retea 2 calc - unul are inet ›
»

no route to host

Submitted by Aries on Mon, 03/06/2006 - 17:34.

Regulile sunt ok.
Cind ai schimbat calculatorul ai schimbat si placile de retea ? Vezi sa nu fie ceva fizic totusi, cablul, vreun switch etc..

no route to host

Submitted by aciu on Tue, 03/07/2006 - 08:52.

Am schimbat sistemul cu totul. Pe primul erau 2 realtek 8139, pe asta am un 3com si un intel...
Am pus un pf.conf din care am scos toate filtrele, am lasat doar nat si rdr, am pus "pass all" si merge fara probleme, nu cred sa fie o problema fizica...

no route to host

Submitted by Aries on Tue, 03/07/2006 - 11:21.

Ok... da atunci mai multe detalii. Ip-urile cit de cit si configuratia retelei, unde se afla router-ul si switch-urile.

no route to host

Submitted by aciu on Tue, 03/07/2006 - 11:31.

OK. E o retea de cartier, fiecare membru are ip din clasa 192.168.4. Am primit un IP de la ISP: 83.166.x.y prin care toate calculatoarele au iesire la internet. Au mai fost cumparate 32IP publice, inca nefolosite.
Am

nat on $ext_if from $int_if:network to any -> 83.166.x.y
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

Problema e undeva in filtre, dupa cum am scris, in momentul in care am pus "pass all" totul functioneaza..

no route to host

Submitted by admin on Tue, 03/07/2006 - 11:37.

Apropo daca folosesti ftp-proxy adauga aceste linii:

rdr on $int_if proto tcp from any to ! (self) port 21 -> 127.0.0.1 port 8021

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) 
     user proxy flags S/SA keep state

no route to host

Submitted by aciu on Tue, 03/07/2006 - 11:44.

In pf.conf ul care creeaza probleme sunt puse pentru filterle pentru ftp-proxy. (vezi primul post)

no route to host

Submitted by admin on Tue, 03/07/2006 - 12:18.

Am incercat fisierul tau de configurare (pf.conf) si functioneaza fara probleme la mine pe server :)

no route to host

Submitted by aciu on Tue, 03/07/2006 - 12:24.

Am observat ca problema apare in momentele de trafic mai intens in retea...sa fie o problema de optimizare? Am incercat si prioritizare TCP ACK, si folosirea ALTQ cu priq si cbq...dupa un timp, acceeasi problema. Am incercat si avand 2 provideri diferiti, acelasi rezultat
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
64 bytes from x.x.x.x: icmp_seq=7 ttl=255 time=0.684 ms
64 bytes from x.x.x.x icmp_seq=8 ttl=255 time=0.306 ms

:( Am obosit sa tot incerc.

no route to host

Submitted by Aries on Tue, 03/07/2006 - 13:09.

Apropo, ce sistem este ? Procesor, ram.
Si care este viteza maxima atinsa de conexiune.

Da-i de curiozitate un "netstat -m" in momentul in care ai loss-uri si pune rezultatul aici. Cu toate ca nu cred ca asta e problema.

no route to host

Submitted by admin on Tue, 03/07/2006 - 13:17.

Incerca sa adaugi in pf.conf:

set optimization aggressive

si modifica la scrub:

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

Daca folosesti aceste reguli pt. scrub providerul tau de net (ISP) nu afla ca partajezi netul pentru mai multe calculatoare.

Cel mai bine ar fi sa simplifici pf.conf, incearca sa il refaci cu reguli mai simple si atunci iti poti da seama unde este problema.

no route to host

Submitted by aciu on Tue, 03/07/2006 - 13:44.

Nu e cazul sa ascund, providerul stie ca partajez conexiunea. Cineva zicea ceva de un loop in retea sau in filtre..desi eu n-am mai auzit pana acum de problema asta...

no route to host

Submitted by Aries on Wed, 03/08/2006 - 09:54.

Regulile in sine sunt ok nu e asta problema.
Mai fa niste teste la ore in care nu ai trafic mare, vezi ce se intimpla.

Loop in retea inseamna switch-uri legate in bucla.
---sw3---sw1---sw2---sw3--- sau variante :)
Deci nu o structura arborescenta.

no route to host

Submitted by aciu on Wed, 03/08/2006 - 11:51.

Am inteles cum e cu bucla, dar nu cred ca asta e problema, atat timp cat la filtre am "pass all" si merge bine. O sa incerc sa mai umblu pe la normalizare si sa refac prioritizarile.

no route to host

Submitted by aciu on Fri, 03/24/2006 - 11:08.

Se pare ca nu merge bine numai cu "pass all", acum problema e alta: conexiunile "ingheata" pentru cateva secunde, dupa care totul merge.Maine voi instala 2 placi Gigabit, sa vedem ce se intampla.

no route to host

Submitted by Baiazid on Mon, 03/27/2006 - 13:12.

Eu am renuntat la combinatia PF+ALTQ din cauza asta. Am si inregistrat-o ca bug la freebsd.

1. se da retea de 3 calculatoare, limitare la 192kbps cu altq/cbq sau hfsc. Totul frumos si perfect. Merge IMPECABIL de elegant

2. se da aceeasi retea cu 200 calculatoare (deci trafic). OHA. Nu mai mergea nici pingul catre mine de la oricare dintre statii. Cum scoteam tot ce e legat de altq si lasam doar PF, mergea. Dar fara limitare.

Am folosit ipfw ! Cu toate ca eram indragostit de pf

no route to host

Submitted by gheorghe on Thu, 03/30/2006 - 10:41.

Hmm... nasol, ce placi deretea folositi, ca sa stiu sa ma tin departe de ele :) Depinde foarte mult si de placile de retea si de calitatea driverului.
Nu conteaza atat de mult viteza cat chipsertul lor. Deci o placa intel sau 3com va fi mai buna decat una realtek.

/edit: Am citit topicul de la inceput, m-am lamurit.