Проблема, с которой я столкнулся, заключается в том, что доступ к некоторым интернет-сайтам работает нормально, а к другим истекает время ожидания. Например, traceroute на www.apple.com
сломан, где openbsd.org
Это хорошо.
┌──────────────┐ ┌──────────────────────┐ ┌───────────────┐
│ comcast │ │ gateway │ │ workstation │
│ 23.30.51.BBB │───────│ 23.30.51.AAA (en1) │───────│ 10.0.0.4 │
│ │ │ 10.0.0.1 (en0) │ │ │
└──────────────┘ └──────────────────────┘ └───────────────┘
-------------------------------------------------- traceroute to www.apple.com on workstation
$ traceroute www.apple.com
traceroute to e6858.dsce9.akamaiedge.net (23.2.47.133), 64 hops max, 52 byte packets
1 10.0.0.1 (10.0.0.1) 0.534 ms 0.410 ms 0.346 ms
2 * * *
3 * * *
4 10.0.0.1 (10.0.0.1) 0.454 ms !H 0.370 ms !H 0.376 ms !H
-------------------------------------------------- traceroute to www.apple.com on gateway
# traceroute www.apple.com
traceroute to e6858.dsce9.akamaiedge.net (23.2.47.133), 64 hops max, 40 byte packets
1 * * *
2 * * *
traceroute: sendto: Host is down
3 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
4 * * *
5 * * *
6 * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
traceroute: sendto: Host is down
7 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
* *
8 * * *
9 * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
traceroute: sendto: Host is down
10 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
* *
11 * * *
12 * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
traceroute: sendto: Host is down
13 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
* *
14 * * *
15 * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
traceroute: sendto: Host is down
16 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
* *
17 * * *
18 * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*
traceroute: sendto: Host is down
19 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
*^C
-------------------------------------------------- traceroute to openbsd.org on workstation
$ traceroute openbsd.org
traceroute to openbsd.org (129.128.5.194), 64 hops max, 52 byte packets
1 10.0.0.1 (10.0.0.1) 0.618 ms 0.346 ms 0.341 ms
2 23-30-51-BBB-static.hfc.comcastbusiness.net (23.30.51.BBB) 0.484 ms 0.477 ms 0.473 ms
3 96.120.96.29 (96.120.96.29) 8.534 ms 7.113 ms 7.731 ms
4 po-114-rur201.saltlakecity.ut.utah.comcast.net (162.151.39.25) 8.304 ms 8.558 ms 7.076 ms
5 be-2-ar01.saltlakecity.ut.utah.comcast.net (69.139.231.85) 19.201 ms 8.486 ms 11.710 ms
6 be-33660-cr02.denver.co.ibone.comcast.net (68.86.90.225) 26.080 ms 56.162 ms 57.898 ms
7 be-11724-cr02.dallas.tx.ibone.comcast.net (68.86.84.230) 34.313 ms 38.321 ms 34.319 ms
8 be-12495-pe03.1950stemmons.tx.ibone.comcast.net (68.86.85.194) 33.846 ms 33.584 ms 33.036 ms
9 50.248.117.6 (50.248.117.6) 35.474 ms 35.658 ms 39.687 ms
10 100ge12-2.core1.mci3.he.net (184.105.81.205) 52.641 ms 63.569 ms 50.444 ms
11 100ge9-2.core1.oma1.he.net (184.105.65.166) 52.396 ms 58.207 ms 57.415 ms
12 100ge8-1.core1.blp1.he.net (184.105.65.98) 53.228 ms 50.355 ms 52.272 ms
13 100ge8-2.core1.msp1.he.net (184.105.64.97) 83.555 ms 61.255 ms 52.033 ms
14 100ge10-1.core1.ywg1.he.net (184.105.64.86) 63.291 ms 63.219 ms 69.655 ms
15 10ge3-1.core1.yxe1.he.net (184.105.81.142) 69.614 ms 69.758 ms 68.824 ms
16 10ge2-1.core1.yeg1.he.net (184.105.81.146) 70.364 ms 70.983 ms 66.476 ms
17 university-of-alberta-sms.10gigabitethernet2-2.core1.yeg1.he.net (184.105.18.50) 72.018 ms 71.187 ms 70.669 ms
18 cabcore-esqgw.corenet.ualberta.ca (129.128.255.35) 71.070 ms 70.712 ms 70.959 ms
19 echadcn7k-cabcore.corenet.ualberta.ca (129.128.0.117) 70.718 ms 71.709 ms 71.652 ms
20 obsd3.srv.ualberta.ca (129.128.5.194) 70.947 ms 71.848 ms 70.541 ms
-------------------------------------------------- traceroute to openbsd.org on gateway
# traceroute openbsd.org
traceroute to openbsd.org (129.128.5.194), 64 hops max, 40 byte packets
1 23-30-51-BBB-static.hfc.comcastbusiness.net (23.30.51.BBB) 0.379 ms 0.172 ms 0.17 ms
2 96.120.96.29 (96.120.96.29) 9.518 ms 9.466 ms 7.477 ms
3 po-114-rur201.saltlakecity.ut.utah.comcast.net (162.151.39.25) 7.31 ms 7.569 ms 8.522 ms
4 be-2-ar01.saltlakecity.ut.utah.comcast.net (69.139.231.85) 7.924 ms 7.931 ms 7.759 ms
5 be-33660-cr02.denver.co.ibone.comcast.net (68.86.90.225) 19.648 ms 20.628 ms 20.532 ms
6 be-11724-cr02.dallas.tx.ibone.comcast.net (68.86.84.230) 34.11 ms 34.014 ms 33.783 ms
7 be-12495-pe03.1950stemmons.tx.ibone.comcast.net (68.86.85.194) 33.121 ms 33.09 ms 32.289 ms
8 50.248.117.6 (50.248.117.6) 35.311 ms 32.96 ms 40.489 ms
9 100ge12-2.core1.mci3.he.net (184.105.81.205) 53.725 ms 51.921 ms 48.111 ms
10 100ge9-2.core1.oma1.he.net (184.105.65.166) 51.886 ms 52.528 ms 51.832 ms
11 100ge8-1.core1.blp1.he.net (184.105.65.98) 51.354 ms 51.606 ms 51.59 ms
12 100ge8-2.core1.msp1.he.net (184.105.64.97) 52.284 ms 62.4 ms 52.947 ms
13 100ge10-1.core1.ywg1.he.net (184.105.64.86) 60.818 ms 59.514 ms 65.272 ms
14 10ge3-1.core1.yxe1.he.net (184.105.81.142) 68.768 ms 68.6 ms 73.546 ms
15 10ge2-1.core1.yeg1.he.net (184.105.81.146) 69.846 ms 69.449 ms 69.868 ms
16 university-of-alberta-sms.10gigabitethernet2-2.core1.yeg1.he.net (184.105.18.50) 70.223 ms 70.434 ms 70.198 ms
17 cabcore-esqgw.corenet.ualberta.ca (129.128.255.35) 70.301 ms 71.136 ms 71.487 ms
18 echadcn7k-cabcore.corenet.ualberta.ca (129.128.0.117) 70.601 ms 70.27 ms 70.674 ms
19 obsd3.srv.ualberta.ca (129.128.5.194) 70.243 ms 70.414 ms 70.102 ms
-------------------------------------------------- ifconfig
# ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 68:05:ca:41:ab:45
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:1c:c0:c8:7b:fb
index 2 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 23.30.51.BBB netmask 0xfffffff8 broadcast 23.30.51.135
inet 23.30.51.CCC netmask 0xff000000 broadcast 23.255.255.255
em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 68:05:ca:01:81:70
index 3 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
index 6 priority 0 llprio 3
groups: pflog
-------------------------------------------------- route table
# route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 23.30.51.BBB UGS 1478 78824401 - 8 em1
224/4 127.0.0.1 URS 0 24555 32768 8 lo0
10/8 10.0.0.1 UCn 30 286794 - 4 em0
10.0.0.1 68:05:ca:41:ab:45 UHLl 0 398742 - 1 em0
10.0.0.2 e8:06:88:ca:2c:89 UHLc 0 31426761 - 3 em0
10.0.0.3 00:0c:29:df:4b:24 UHLc 0 4620936 - 3 em0
10.0.0.4 00:25:00:f4:df:74 UHLc 1 1131140 - 3 em0
10.0.0.6 00:25:90:0d:1f:2b UHLc 0 53813 - 3 em0
10.0.0.7 a4:bf:01:0e:5a:82 UHLc 0 467144 - 3 em0
10.0.0.8 08:00:06:70:e6:88 UHLc 0 279622 - 3 em0
10.0.0.11 00:15:17:fd:c5:28 UHLc 0 148492 - 3 em0
10.0.0.18 00:15:17:26:66:ac UHLc 0 15678 - 3 em0
10.0.0.34 00:50:c2:47:8a:f3 UHLc 0 97799 - 3 em0
10.0.0.102 00:1f:f3:c9:07:22 UHLc 0 266047 - 3 em0
10.0.0.105 00:1e:52:88:2e:eb UHLc 0 675107 - 3 em0
10.0.0.111 88:6b:6e:e9:7d:a2 UHLc 0 285736 - 3 em0
10.0.0.112 00:3e:e1:c3:50:82 UHLc 0 268394 - 3 em0
10.0.0.118 00:0c:29:0b:ea:07 UHLc 0 282754 - 3 em0
10.0.0.119 38:c9:86:0a:8e:c4 UHLc 0 2173883 - 3 em0
10.0.0.126 00:13:20:d3:1c:0e UHLc 0 55388 - 3 em0
10.0.0.140 d8:30:62:49:8a:38 UHLc 0 272489 - 3 em0
10.0.0.144 00:03:ea:11:3c:ab UHLc 0 98439 - 3 em0
10.0.0.147 00:30:18:c9:44:db UHLc 0 196593 - 3 em0
10.0.0.148 00:1f:f3:c9:07:22 UHLc 0 268643 - 3 em0
10.0.0.149 f0:9f:c2:7f:bb:08 UHLc 0 3877 - 3 em0
10.0.0.151 f0:9f:c2:7f:26:c7 UHLc 0 3881 - 3 em0
10.0.0.158 78:8a:20:fa:8d:15 UHLc 1 13231 - 3 em0
10.0.0.159 3c:07:54:5b:83:97 UHLc 0 267368 - 3 em0
10.0.0.161 78:8a:20:47:ee:c9 UHLc 0 3637 - 3 em0
10.0.0.166 34:68:95:43:60:6d UHLc 0 203883 - 3 em0
10.0.0.176 00:23:df:fd:7d:28 UHLc 0 1109454 - 3 em0
10.0.0.177 00:07:e9:2f:5a:43 UHLc 0 13899 - 3 em0
10.0.0.179 90:72:40:08:52:aa UHLc 0 285996 - 3 em0
10.0.0.255 link#1 UHLc 0 286789 - 3 em0
10.255.255.255 10.0.0.1 UHb 0 27172 - 1 em0
23/8 23.30.51.CCC UCn 2 5 - 4 em1
23.2.168.6 link#2 UHRLc 0 15 - 3 em1
23.30.51.EEE/29 23.30.51.AAA UCn 1 31897 - 4 em1
23.30.51.AAA 00:1c:c0:c8:7b:fb UHLl 0 430651 - 1 em1
23.30.51.CCC 00:1c:c0:c8:7b:fb UHLl 0 1545 - 1 em1
23.30.51.BBB 6c:b0:ce:60:77:fb UHLch 2 53257 - 3 em1
23.30.51.DDD 23.30.51.AAA UHb 0 7866 - 1 em1
23.111.152.74 link#2 UHLc 0 6 - 3 em1
23.255.255.255 23.30.51.CCC UHb 0 0 - 1 em1
123.183.209.137 23.30.51.BBB UGHD 2 78822691 - L 8 em1
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 106 32768 1 lo0
Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/96 ::1 UGRS 0 0 32768 8 lo0
::/104 ::1 UGRS 0 0 32768 8 lo0
::1 ::1 UHhl 14 28 32768 1 lo0
::127.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 32768 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32768 8 lo0
2002::/24 ::1 UGRS 0 0 32768 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 32768 8 lo0
2002:e000::/20 ::1 UGRS 0 0 32768 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 32768 8 lo0
fe80::/10 ::1 UGRS 0 0 32768 8 lo0
fec0::/10 ::1 UGRS 0 0 32768 8 lo0
fe80::1%lo0 fe80::1%lo0 UHl 0 0 32768 1 lo0
ff01::/16 ::1 UGRS 0 0 32768 8 lo0
ff01::%lo0/32 ::1 Um 0 1 32768 4 lo0
ff02::/16 ::1 UGRS 0 0 32768 8 lo0
ff02::%lo0/32 ::1 Um 0 1 32768 4 lo0
-------------------------------------------------- /etc/mygate
# cat /etc/mygate
23.30.51.BBB
-------------------------------------------------- /etc/pf.conf
int_if = "em0"
cable_if = "em1"
cable_gw = "23.30.51.BBB"
ext_if = "{" $cable_if "}"
gateway_ip_ext = "{ 23.30.51.AAA }"
gateway_ip_int = "{ 10.0.0.1 }"
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# outgoing
pass out log on $cable_if from $int_if:network to any nat-to $gateway_ip_ext
-------------------------------------------------- pf rules
# pfctl -s rules
block return all
pass all flags S/SA
pass out log on em1 inet from 10.0.0.0/8 to any flags S/SA nat-to 23.30.51.AAA
-------------------------------------------------- /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
Сетевая маска для псевдонима IP 23.30.51.CCC слишком велика. Должно быть 255.255.255.255.
Сетевая маска IP 23.30.51.CCC должна быть такой же, как 23.30.51.BB: 255.255.255.248