Hi,
A few things here.
Comcast DO NOT use 9000 mtu, so don't try to use that.
They sadly ONLY support 1500.
if you force 9000 mtu, you will only create fragments.
You can find it if you search for it as well.
https://forums.xfinity.com/conversations/your-home-network/mtu-size/602db12cc5375f08cd47b1ad
Also if you actually want to use the martian table, make it complete
also available is you search for the reserved IP's
table <reserved> const { 0/8, 10/8, 100.64/10, 127/8, 169.254/16, \
172.16/12, 192/24, 192.0.2/24, 192.168/16, 198.18/15, 198.51.100/24, \
203.0.113/24, 224/4, 240/4, 255.255.255.255/32 }
Daniel
On 9/8/23 9:41 PM, Amarendra Godbole wrote:
On Fri, Jun 23, 2023 at 6:18 PM David Gwynne <[email protected]> wrote:
looks good to me after a quick read.
On 23 Jun 2023, at 12:15, Amarendra Godbole <[email protected]> wrote:
I am planning to experiment with veb on my PC Engines apu2e4 board. It
has three ports (em0, 1 and 2). Current configuration has em0 hooked
up to cable modem, while em1 and em2 are internal LAN. I don't have a
good ability to troubleshoot via a serial console, since the apu board
sits in the garage on top of a cabinet -- running serial cable to a
laptop is challenging, though not impossible. So I am looking for
feedback so as to keep this troubleshooting time minimal.
[...]
Thanks for the review, David. I finally managed to find a window when
my family was away from the internet, so I could experiment. :-) My
internet is delivered via Comcast cable modem, hooked to the APU's em0
port. A Ruckus wireless AP connects to em1.
Here is a fully working configuration:
$ cat hostname.em0
dhcp description "comcast uplink"
$ cat hostname.em1
mtu 9000
up
$ cat hostname.em2
mtu 9000
up
$ cat hostname.veb0
add em1
add em2
add vport0
link0
up
$ cat hostname.vport0
inet 192.168.1.1 255.255.255.0 192.168.1.255
mtu 9000
group internal
up
$ cat pf.conf
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15
198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
block in from no-route
block in quick from urpf-failed
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
match out on egress nat-to (egress)
pass out quick inet
pass in on internal inet
block return in quick on internal proto { udp tcp } to ! internal port
{ domain domain-s }
$ cat rc.conf.local
dhcpd_flags=vport0
unbound_flags=
unbound_timeout=240
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
lladdr 00:0d:b9:56:f4:fc
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 98.35.243.87 netmask 0xffffff00 broadcast 98.35.243.255
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 9000
lladdr 00:0d:b9:56:f4:fd
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
em2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 9000
lladdr 00:0d:b9:56:f4:fe
index 3 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
veb0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST>
index 6 llprio 3
groups: veb
em1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
em2 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
vport0 flags=3<LEARNING,DISCOVER>
port 7 ifpriority 0 ifcost 0
vport0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 9000
lladdr fe:e1:ba:d0:18:bd
index 7 priority 0 llprio 3
groups: vport internal
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 8 priority 0 llprio 3
groups: pflog
Thanks.
-Amarendra
