# Routing question



## Sabrtooth (Aug 27, 2013)

Hey all, hope your evening/day fares well.

I've a relatively simple problem, but since working on another issue (unrelated and will update that one when I have a concrete answer) my brain has fried and I feel like I am doing something completely stupid.

I have a /29 from my ISP. I'm waiting for another, but it hasn't gotten here. All five of usable the IPs have been originally assigned to FreeBSD1. I organized pf to free one IP (last one in the /29) to assign to FreeBSD2_Test. Both connect directly to the ISP Modem on independent cables. 

I set up pf.conf very simply on FreeBSD2_Test as follows:


```
#!/bin/sh
# Interfaces
ext_if="de0"
int_if="de1"

#
# Options
#

set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

#
# Traffic normalization
#

scrub in all no-df min-ttl 100 max-mss 1440 fragment reassemble

#
# Translation
#

nat on $ext_if from $int_if to any -> X.X.X.X/32

rdr pass on $ext_if proto { tcp, udp } from any to port 3389 -> Y.Y.Y.5

# Incoming traffic on $ext_if
pass in log all
pass out log all
```

When all is said and done, I can RDP (3389) to Y.Y.Y.5 without problem, but doing so causes both the Y.Y.Y.5 and FreeBSD2_Test to drop packets. Sometimes my RDP session breaks for good until I can flush state tables.

I get the following behaviors:

Traffic to Y.Y.Y.5 is shakey, but happens. 

When I monitor traffic on `tcpdump`, I get the following error on port 3389:

```
tcp 24 [bad hdr length 8 - too short, < 20]
```

I see traffic from other External/Internal LANs on both de0/de1. I will be triple checking for any accidental bridging or wireless between the two networks, but it's simple enough that it should have been obvious the first two times I'm looking. 

It seems that some traffic tries to go through FreeBSD1's default route to get to Y.Y.Y.5 and that's the root of my problem, but I feel like I'm losing my mind. Why wouldn't I be able to go modem to two separate hosts' LAN ports. Is it the default route? I'm pulling my hair out here!

Hope I am getting better DutchDaemon. Hope you don't have to edit this much.


----------



## junovitch@ (Aug 27, 2013)

I don't know much about PF but I do have a dumb question.  Is RDP the only protocol that you are seeing information about the header being too short?  Normally when I've seen runts or giants, i.e. packets that are too small or too big, I think of a loose cable, bad cable, or bad NIC.  But that would impact more than just RDP.


----------



## throAU (Aug 27, 2013)

I'm not big on pf syntax as I do most of my firewalling with Cisco stuff these days, but I suspect that you will need to do one to many NAT, rather than a pf redirect.  Because this is essentially what you're trying to do; rewrite the destination address on the way in, and rewrite the source address on the way back out.

I suspect what is happening is that inbound, the redirection is working just fine, but when the traffic is sent back, the source IP address doesn't match.


----------



## SirDice (Aug 27, 2013)

I hope this is for testing purposes only. You really shouldn't open RDP up to the outside world. It's not the world's safest protocol.


----------



## Sabrtooth (Aug 27, 2013)

Thanks for the responses all, no bridging going on.



			
				SirDice said:
			
		

> I hope this is for testing purposes only. You really shouldn't open RDP up to the outside world. It's not the world's safest protocol.



Correct, only for testing.



			
				throAU said:
			
		

> Because this is essentially what you're trying to do; rewrite the destination address on the way in, and rewrite the source address on the way back out.
> 
> I suspect what is happening is that inbound, the redirection is working just fine, but when the traffic is sent back, the source IP address doesn't match.



Thanks for the tip. I'm just concerned that I'm seeing the External IP address of FreeBSD1 and the internal network that it's protecting on my tcpdump of FreeBSD2_Test. I just confirmed this morning that there is no area the two physically or wirelessly bridge except at the modem. The Modem only plugs into WAN ports.



			
				junovitch said:
			
		

> I think of a loose cable, bad cable, or bad NIC.  But that would impact more than just RDP.



Not just RDP, correct. However these are all new cables. I'm highly suspicious that the problem is the fact that the return communication sometimes attempts to return over the FreeBSD1 router.


----------



## Sabrtooth (Aug 27, 2013)

throAU said:
			
		

> I suspect what is happening is that inbound, the redirection is working just fine, but when the traffic is sent back, the source IP address doesn't match.



Clearly, at this point, I'm seeing traffic come in correctly, but traffic leaving is attempting to communicate with FreeBSD1 to pass, but I don't see how yet.

Traffic is clearly coming in on the external IP address for FreeBSD1 on the FreeBSD2_Test external interface intended for the the internal network protected by FreeBSD1's firewall.


----------



## Sabrtooth (Aug 27, 2013)

You Sir, can have all my Internets. 


			
				throAU said:
			
		

> I suspect what is happening is that inbound, the redirection is working just fine, but when the traffic is sent back, the source IP address doesn't match.



So basically, FreeBSD1 was set to /24 rather than /29 - Thus the communication being visible.

As for our routing issue, a typo meant I was only allowing NAT from the host IP, not the entire network. Thanks `pfctl -s nat`. 

Thanks for the tip off, good sir!


----------

