On 2023-07-27, Polarian <polarian@polarian.dev> wrote:
> found it incredibly reliable, and ridiculously enough I get much better
> latency over A&A than the other line provided by virgin media (coaxial),
> but virgin media has always been pathetic, fast speeds, low reliability,
yeah that's about right for VM.
>> not really from just a written description. something might come to
>> mind if I see ifconfig -A, pf.conf, netstat -rnfinet, not sure though.
>
> I already posted most of this in my original email, but it does not hurt
> to include it, prepare for massive email length below this point.
You posted netstat -rnfinet from before making changes and not the others.
Seeing the whole lot together, in the form of files from the machine
itself not a description, often makes it easier to understand what's
going on.
> bse0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
..
> inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
> inet 217.169.18.57 netmask 0xfffffff8 broadcast 217.169.18.63
> inet6 fe80::dea6:32ff:fe78:ebb1%bse0 prefixlen 64 scopeid 0x1
> inet6 2001:8b0:57a:2385::1 prefixlen 64
...
> lan = "bse0"
..
> pass out on $wan inet from $lan:network to any nat-to $nataddr keep state
Here you run into a problem that's introduced by the unusual "two L3
networks on a shared L2 network" setup - you're natting 192.168.2.0/24
*and* 217.169.18.56/29. Should be 192.168.2.0/24 not $lan:network.
> ###### Port Forwards ######
>
> # Stripped, contained notes and names which again, people would not
> appreciated posted on a public mailing list
If there's a mistake that would result in the behaviour you mentioned,
it would most likely be in this section.
> (Note: I have clearly commented everything, mainly to stop myself from
> getting confused, but also so others who read it can actually understand
> it, if any comment doesn't make sense, let me know :))
I tend to ignore comments when debugging rulesets because they can
mislead. They're useful for seeing the intent, but if the comment
doesn't match what the config actually does, it's too easy to trust the
comment.
No comments:
Post a Comment