Владислав Недосекин
2008-Mar-05 09:16 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
We are using FreeBSD as GateWay with PF. And the problem is that some web-sites as Gmail.com or Msn.com are unavailable from machines with Vista or Server 2008 installed. If use external or internal proxy (Kerio WinRoute, wich also goes through the same FreeBSD gw) they are opening correctly. Also in 6.1 version were problems with skype from such machines.
Jeremy Chadwick
2008-Mar-05 10:05 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
On Wed, Mar 05, 2008 at 10:49:09AM +0200, ????????? ????????? wrote:> We are using FreeBSD as GateWay with PF. > And the problem is that some web-sites as Gmail.com or Msn.com are > unavailable from machines with Vista or Server 2008 installed. > If use external or internal proxy (Kerio WinRoute, wich also goes through > the same FreeBSD gw) they are opening correctly. > Also in 6.1 version were problems with skype from such machines.I doubt people will be able to help you without some hard details provided. Not that anyone is denying the problem exists, but there's no details that are helpful in your report. I'm willing to bet your pf rules are incorrect/broken; is NAT involved? You could also try turning off RFC1323 extensions, which has helped some people in the past: sysctl net.inet.tcp.rfc1323=0 To disable RFC1323 extensions permanently, put this in /etc/rc.conf: tcp_extensions="no" -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Dennis Melentyev
2008-Mar-05 11:10 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
Hello Vladislav, 2008/3/5, ????????? ????????? <mr.vladis@gmail.com>:> We are using FreeBSD as GateWay with PF. > And the problem is that some web-sites as Gmail.com or Msn.com are > unavailable from machines with Vista or Server 2008 installed. > If use external or internal proxy (Kerio WinRoute, wich also goes through > the same FreeBSD gw) they are opening correctly. > Also in 6.1 version were problems with skype from such machines.As Jeremy stated, it's too little facts to analyse. What does tcpdump show, what are the PF rules, proxy settings, authentification, etc. Just wild guess: is it IPv6 running on MS stations? PS. You might have more help from Russian/Ukrainian speaking UAFUG maillist. See http://uafug.org.ua for details. -- Dennis Melentyev
Dennis Melentyev
2008-Mar-05 14:08 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
Hi! Well, I'm not a PF professional, and you have rather advanced setup. So, someone with good PF experience is needed here. 2008/3/5, ????????? ????????? <mr.vladis@gmail.com>:> Hi, i understand that there is too little facts to analyze, but maybe some > one have the same problem and also i can provide you information. > TCP dump 192.168.200.11 - ip of PC with vista > # tcpdump | grep 192.168.200.11 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes > ^C^C^C^C3 packets captured > 433 packets received by filter > 0 packets dropped by kernel > # tcpdump | grep 192.168.200.111 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes...> 13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui > Unknown)) tell 192.168.200.111What's that? ...> PF.CONF >...> # Block Policy > block in log all > block in log quick from no-route to any > block in log quick on $ext_if from <rfc1918> > block return-icmp out log quick on $ext_if to <rfc1918> > antispoof quick for $int_if > antispoof quick for $ext_if > block out from 192.168.0.146 to anyDoes log shows anything interesting? I mean dropped packets. What about SQUID's log? Some special auth? Client's insisting on HTTP/1.1? Some glitches with transparent proxying (if I get it right from your PF config)?> i've tried > sysctl net.inet.tcp.rfc1323=0 > but it does't help. > > And about ip6 it is disabled, but in enabled state it does't help.Dropped by PF? -- Dennis Melentyev
Mike Tancsa
2008-Mar-05 17:04 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
At 03:49 AM 3/5/2008, =?KOI8-R?B?98zBxMnTzMHXIO7FxM/TxcvJzg==?= wrote:>We are using FreeBSD as GateWay with PF. >And the problem is that some web-sites as Gmail.com or Msn.com are >unavailable from machines with Vista or Server 2008 installed. >If use external or internal proxy (Kerio WinRoute, wich also goes through >the same FreeBSD gw) they are opening correctly. >Also in 6.1 version were problems with skype from such machines.Its hard to say without seeing your pf rules. But I seem to recall issues with Vista where pf rules did not have keep state enabled. ---Mike
Владислав Недосекин
2008-Mar-14 20:48 UTC
Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
Hi, I have found what lines in pf.conf are bloking acess. When I disable this lines pass out on $int_if tagged Q1 keep state queue q1_in pass out on $int_if tagged Q2 keep state queue q2_in pass out on $int_if tagged Q3 keep state queue q3_in pass out on $int_if tagged Q4 keep state queue q4_in It goes very well May be some one could explain this situation. With best regards Vladislav 2008/3/5, Mike Tancsa <mike@sentex.net>:> At 03:49 AM 3/5/2008, =?KOI8-R?B?98zBxMnTzMHXIO7FxM/TxcvJzg==?= wrote: > >We are using FreeBSD as GateWay with PF. > >And the problem is that some web-sites as Gmail.com or Msn.com are > >unavailable from machines with Vista or Server 2008 installed. > >If use external or internal proxy (Kerio WinRoute, wich also goes through > >the same FreeBSD gw) they are opening correctly. > >Also in 6.1 version were problems with skype from such machines. > > > Its hard to say without seeing your pf rules. But I seem to recall > issues with Vista where pf rules did not have keep state enabled. > > > ---Mike > >