Назад | Перейти на главную страницу

Проблема с маршрутизацией OpenBSD: некоторые сайты работают нормально, у других таймаут

Проблема, с которой я столкнулся, заключается в том, что доступ к некоторым интернет-сайтам работает нормально, а к другим истекает время ожидания. Например, traceroute на www.apple.com сломан, где openbsd.org Это хорошо.

┌──────────────┐       ┌──────────────────────┐       ┌───────────────┐
│   comcast    │       │       gateway        │       │  workstation  │
│ 23.30.51.BBB │───────│  23.30.51.AAA (en1)  │───────│   10.0.0.4    │
│              │       │    10.0.0.1 (en0)    │       │               │
└──────────────┘       └──────────────────────┘       └───────────────┘


-------------------------------------------------- traceroute to www.apple.com on workstation

$ traceroute www.apple.com
traceroute to e6858.dsce9.akamaiedge.net (23.2.47.133), 64 hops max, 52 byte packets
 1  10.0.0.1 (10.0.0.1)  0.534 ms  0.410 ms  0.346 ms
 2  * * *
 3  * * *
 4  10.0.0.1 (10.0.0.1)  0.454 ms !H  0.370 ms !H  0.376 ms !H


-------------------------------------------------- traceroute to www.apple.com on gateway

# traceroute www.apple.com 
traceroute to e6858.dsce9.akamaiedge.net (23.2.47.133), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
traceroute: sendto: Host is down
 3 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
 4  * * *
 5  * * *
 6  * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
traceroute: sendto: Host is down
 7 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 * *
 8  * * *
 9  * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
traceroute: sendto: Host is down
10 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 * *
11  * * *
12  * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
traceroute: sendto: Host is down
13 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 * *
14  * * *
15  * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
traceroute: sendto: Host is down
16 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 * *
17  * * *
18  * *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *
traceroute: sendto: Host is down
19 traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *traceroute: sendto: Host is down
traceroute: wrote e6858.dsce9.akamaiedge.net 40 chars, ret=-1
 *^C


-------------------------------------------------- traceroute to openbsd.org on workstation

$ traceroute openbsd.org
traceroute to openbsd.org (129.128.5.194), 64 hops max, 52 byte packets
 1  10.0.0.1 (10.0.0.1)  0.618 ms  0.346 ms  0.341 ms
 2  23-30-51-BBB-static.hfc.comcastbusiness.net (23.30.51.BBB)  0.484 ms  0.477 ms  0.473 ms
 3  96.120.96.29 (96.120.96.29)  8.534 ms  7.113 ms  7.731 ms
 4  po-114-rur201.saltlakecity.ut.utah.comcast.net (162.151.39.25)  8.304 ms  8.558 ms  7.076 ms
 5  be-2-ar01.saltlakecity.ut.utah.comcast.net (69.139.231.85)  19.201 ms  8.486 ms  11.710 ms
 6  be-33660-cr02.denver.co.ibone.comcast.net (68.86.90.225)  26.080 ms  56.162 ms  57.898 ms
 7  be-11724-cr02.dallas.tx.ibone.comcast.net (68.86.84.230)  34.313 ms  38.321 ms  34.319 ms
 8  be-12495-pe03.1950stemmons.tx.ibone.comcast.net (68.86.85.194)  33.846 ms  33.584 ms  33.036 ms
 9  50.248.117.6 (50.248.117.6)  35.474 ms  35.658 ms  39.687 ms
10  100ge12-2.core1.mci3.he.net (184.105.81.205)  52.641 ms  63.569 ms  50.444 ms
11  100ge9-2.core1.oma1.he.net (184.105.65.166)  52.396 ms  58.207 ms  57.415 ms
12  100ge8-1.core1.blp1.he.net (184.105.65.98)  53.228 ms  50.355 ms  52.272 ms
13  100ge8-2.core1.msp1.he.net (184.105.64.97)  83.555 ms  61.255 ms  52.033 ms
14  100ge10-1.core1.ywg1.he.net (184.105.64.86)  63.291 ms  63.219 ms  69.655 ms
15  10ge3-1.core1.yxe1.he.net (184.105.81.142)  69.614 ms  69.758 ms  68.824 ms
16  10ge2-1.core1.yeg1.he.net (184.105.81.146)  70.364 ms  70.983 ms  66.476 ms
17  university-of-alberta-sms.10gigabitethernet2-2.core1.yeg1.he.net (184.105.18.50)  72.018 ms  71.187 ms  70.669 ms
18  cabcore-esqgw.corenet.ualberta.ca (129.128.255.35)  71.070 ms  70.712 ms  70.959 ms
19  echadcn7k-cabcore.corenet.ualberta.ca (129.128.0.117)  70.718 ms  71.709 ms  71.652 ms
20  obsd3.srv.ualberta.ca (129.128.5.194)  70.947 ms  71.848 ms  70.541 ms


-------------------------------------------------- traceroute to openbsd.org on gateway

# traceroute openbsd.org
traceroute to openbsd.org (129.128.5.194), 64 hops max, 40 byte packets
 1  23-30-51-BBB-static.hfc.comcastbusiness.net (23.30.51.BBB)  0.379 ms  0.172 ms  0.17 ms
 2  96.120.96.29 (96.120.96.29)  9.518 ms  9.466 ms  7.477 ms
 3  po-114-rur201.saltlakecity.ut.utah.comcast.net (162.151.39.25)  7.31 ms  7.569 ms  8.522 ms
 4  be-2-ar01.saltlakecity.ut.utah.comcast.net (69.139.231.85)  7.924 ms  7.931 ms  7.759 ms
 5  be-33660-cr02.denver.co.ibone.comcast.net (68.86.90.225)  19.648 ms  20.628 ms  20.532 ms
 6  be-11724-cr02.dallas.tx.ibone.comcast.net (68.86.84.230)  34.11 ms  34.014 ms  33.783 ms
 7  be-12495-pe03.1950stemmons.tx.ibone.comcast.net (68.86.85.194)  33.121 ms  33.09 ms  32.289 ms
 8  50.248.117.6 (50.248.117.6)  35.311 ms  32.96 ms  40.489 ms
 9  100ge12-2.core1.mci3.he.net (184.105.81.205)  53.725 ms  51.921 ms  48.111 ms
10  100ge9-2.core1.oma1.he.net (184.105.65.166)  51.886 ms  52.528 ms  51.832 ms
11  100ge8-1.core1.blp1.he.net (184.105.65.98)  51.354 ms  51.606 ms  51.59 ms
12  100ge8-2.core1.msp1.he.net (184.105.64.97)  52.284 ms  62.4 ms  52.947 ms
13  100ge10-1.core1.ywg1.he.net (184.105.64.86)  60.818 ms  59.514 ms  65.272 ms
14  10ge3-1.core1.yxe1.he.net (184.105.81.142)  68.768 ms  68.6 ms  73.546 ms
15  10ge2-1.core1.yeg1.he.net (184.105.81.146)  69.846 ms  69.449 ms  69.868 ms
16  university-of-alberta-sms.10gigabitethernet2-2.core1.yeg1.he.net (184.105.18.50)  70.223 ms  70.434 ms  70.198 ms
17  cabcore-esqgw.corenet.ualberta.ca (129.128.255.35)  70.301 ms  71.136 ms  71.487 ms
18  echadcn7k-cabcore.corenet.ualberta.ca (129.128.0.117)  70.601 ms  70.27 ms  70.674 ms
19  obsd3.srv.ualberta.ca (129.128.5.194)  70.243 ms  70.414 ms  70.102 ms


-------------------------------------------------- ifconfig

# ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 5 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 68:05:ca:41:ab:45
        index 1 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1c:c0:c8:7b:fb
        index 2 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 23.30.51.BBB netmask 0xfffffff8 broadcast 23.30.51.135
        inet 23.30.51.CCC netmask 0xff000000 broadcast 23.255.255.255
em2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 68:05:ca:01:81:70
        index 3 priority 0 llprio 3
        media: Ethernet autoselect (none)
        status: no carrier
enc0: flags=0<>
        index 4 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
        index 6 priority 0 llprio 3
        groups: pflog


-------------------------------------------------- route table

# route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            23.30.51.BBB       UGS     1478 78824401     -     8 em1  
224/4              127.0.0.1          URS        0    24555 32768     8 lo0  
10/8               10.0.0.1           UCn       30   286794     -     4 em0  
10.0.0.1           68:05:ca:41:ab:45  UHLl       0   398742     -     1 em0  
10.0.0.2           e8:06:88:ca:2c:89  UHLc       0 31426761     -     3 em0  
10.0.0.3           00:0c:29:df:4b:24  UHLc       0  4620936     -     3 em0  
10.0.0.4           00:25:00:f4:df:74  UHLc       1  1131140     -     3 em0  
10.0.0.6           00:25:90:0d:1f:2b  UHLc       0    53813     -     3 em0  
10.0.0.7           a4:bf:01:0e:5a:82  UHLc       0   467144     -     3 em0  
10.0.0.8           08:00:06:70:e6:88  UHLc       0   279622     -     3 em0  
10.0.0.11          00:15:17:fd:c5:28  UHLc       0   148492     -     3 em0  
10.0.0.18          00:15:17:26:66:ac  UHLc       0    15678     -     3 em0  
10.0.0.34          00:50:c2:47:8a:f3  UHLc       0    97799     -     3 em0  
10.0.0.102         00:1f:f3:c9:07:22  UHLc       0   266047     -     3 em0  
10.0.0.105         00:1e:52:88:2e:eb  UHLc       0   675107     -     3 em0  
10.0.0.111         88:6b:6e:e9:7d:a2  UHLc       0   285736     -     3 em0  
10.0.0.112         00:3e:e1:c3:50:82  UHLc       0   268394     -     3 em0  
10.0.0.118         00:0c:29:0b:ea:07  UHLc       0   282754     -     3 em0  
10.0.0.119         38:c9:86:0a:8e:c4  UHLc       0  2173883     -     3 em0  
10.0.0.126         00:13:20:d3:1c:0e  UHLc       0    55388     -     3 em0  
10.0.0.140         d8:30:62:49:8a:38  UHLc       0   272489     -     3 em0  
10.0.0.144         00:03:ea:11:3c:ab  UHLc       0    98439     -     3 em0  
10.0.0.147         00:30:18:c9:44:db  UHLc       0   196593     -     3 em0  
10.0.0.148         00:1f:f3:c9:07:22  UHLc       0   268643     -     3 em0  
10.0.0.149         f0:9f:c2:7f:bb:08  UHLc       0     3877     -     3 em0  
10.0.0.151         f0:9f:c2:7f:26:c7  UHLc       0     3881     -     3 em0  
10.0.0.158         78:8a:20:fa:8d:15  UHLc       1    13231     -     3 em0  
10.0.0.159         3c:07:54:5b:83:97  UHLc       0   267368     -     3 em0  
10.0.0.161         78:8a:20:47:ee:c9  UHLc       0     3637     -     3 em0  
10.0.0.166         34:68:95:43:60:6d  UHLc       0   203883     -     3 em0  
10.0.0.176         00:23:df:fd:7d:28  UHLc       0  1109454     -     3 em0  
10.0.0.177         00:07:e9:2f:5a:43  UHLc       0    13899     -     3 em0  
10.0.0.179         90:72:40:08:52:aa  UHLc       0   285996     -     3 em0  
10.0.0.255         link#1             UHLc       0   286789     -     3 em0  
10.255.255.255     10.0.0.1           UHb        0    27172     -     1 em0  
23/8               23.30.51.CCC       UCn        2        5     -     4 em1  
23.2.168.6         link#2             UHRLc      0       15     -     3 em1  
23.30.51.EEE/29    23.30.51.AAA       UCn        1    31897     -     4 em1  
23.30.51.AAA       00:1c:c0:c8:7b:fb  UHLl       0   430651     -     1 em1  
23.30.51.CCC       00:1c:c0:c8:7b:fb  UHLl       0     1545     -     1 em1  
23.30.51.BBB       6c:b0:ce:60:77:fb  UHLch      2    53257     -     3 em1  
23.30.51.DDD       23.30.51.AAA       UHb        0     7866     -     1 em1  
23.111.152.74      link#2             UHLc       0        6     -     3 em1  
23.255.255.255     23.30.51.CCC       UHb        0        0     -     1 em1  
123.183.209.137    23.30.51.BBB       UGHD       2 78822691     - L   8 em1  
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0  
127.0.0.1          127.0.0.1          UHhl       1      106 32768     1 lo0  

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/96                              ::1                            UGRS       0        0 32768     8 lo0  
::/104                             ::1                            UGRS       0        0 32768     8 lo0  
::1                                ::1                            UHhl      14       28 32768     1 lo0  
::127.0.0.0/104                    ::1                            UGRS       0        0 32768     8 lo0  
::224.0.0.0/100                    ::1                            UGRS       0        0 32768     8 lo0  
::255.0.0.0/104                    ::1                            UGRS       0        0 32768     8 lo0  
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0 32768     8 lo0  
2002::/24                          ::1                            UGRS       0        0 32768     8 lo0  
2002:7f00::/24                     ::1                            UGRS       0        0 32768     8 lo0  
2002:e000::/20                     ::1                            UGRS       0        0 32768     8 lo0  
2002:ff00::/24                     ::1                            UGRS       0        0 32768     8 lo0  
fe80::/10                          ::1                            UGRS       0        0 32768     8 lo0  
fec0::/10                          ::1                            UGRS       0        0 32768     8 lo0  
fe80::1%lo0                        fe80::1%lo0                    UHl        0        0 32768     1 lo0  
ff01::/16                          ::1                            UGRS       0        0 32768     8 lo0  
ff01::%lo0/32                      ::1                            Um         0        1 32768     4 lo0  
ff02::/16                          ::1                            UGRS       0        0 32768     8 lo0  
ff02::%lo0/32                      ::1                            Um         0        1 32768     4 lo0  


-------------------------------------------------- /etc/mygate

# cat /etc/mygate
23.30.51.BBB


-------------------------------------------------- /etc/pf.conf

int_if = "em0"

cable_if = "em1"
cable_gw = "23.30.51.BBB"

ext_if = "{" $cable_if "}"

gateway_ip_ext = "{ 23.30.51.AAA }"
gateway_ip_int = "{ 10.0.0.1 }"

set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# outgoing
pass out log on $cable_if from $int_if:network to any nat-to $gateway_ip_ext


-------------------------------------------------- pf rules

# pfctl -s rules
block return all
pass all flags S/SA
pass out log on em1 inet from 10.0.0.0/8 to any flags S/SA nat-to 23.30.51.AAA


-------------------------------------------------- /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

https://pastebin.com/J5CAK0gJ

Сетевая маска для псевдонима IP 23.30.51.CCC слишком велика. Должно быть 255.255.255.255.

Сетевая маска IP 23.30.51.CCC должна быть такой же, как 23.30.51.BB: 255.255.255.248