This is just a rough guess, but did you ever check on the state tables in your openbsd firewall? In your setup you have state distributed amongst your clients, your firewall, and you NAT gateway, and unless all three are in sync you can easily get the kind of possessed network behavior you describe.

On February 7, 2015 3:20:15 PM EST, Brad <bkn@ithryn.net> wrote:
(i appologize for the previous message that i completely unreadable.) 

Dear W-LUGgers,

I had some strange network related behavior that left me baffled and i wanted
to hear some theories from more experienced network admins.

The network layout is the following. The network is pretty simple, external
traffic passes through a bridged-firewall (OpenBSD, my choice) into an OS X
server (not my choice) which handles NAT/DHCP/DNS et al., and all the office
computers are dhcp clients to the OS X server. The trouble machines are linux
(ubuntu) desktop clients.

The scenario is the following. I was doing work on the bridged firewall
(OpenBSD) and somehow caused it to kernel panic, oopsie! So the
bridged-firewall went down thus no-one had internet access, Dou! i quickly
bounced the machine. It came back on-line and clients were able to access the
internet, huzzah! But, the strange behavior was in two linux machines within
the network that were not able to access some external IPs. My linux desktop
could not access 8.8.8.8, when pinging, i could see an arp who-has request
originating from my machine, i could see the packet come into the OS X server.
But the request always went unanswered. The same behavior happened to another
linux desktop but with 192.48.178.134 (sgi.com). My desktop could ping sgi.com.
So each linux desktop had *different* unreachable IPs. The rest of the internet
was reachable. I tried clearing the arp-cache on the OS X server, then clearing
the NAT state tables, then I rebooted the OS X server, none solved the problem.
I finally renewed the dhcp lease on my linux desktop machine and that allowed
the ping to complete.

What would case this behavior? Could it be stale arp-cache on the linux
machine? ( I *should* have tried to clear the arp-cache on the linux machine
before i renewed the dhcp lease, but i didn’t think of that until after the
fact.) The linux machine was sending out arp who-has requests so would a stale
cache even matter? Why would no one answer the arp requests? I am not an expert
network admin (its just a side job since the company is only 15 people). I
don’t expect to get a resolution but i’m interested to hear any theories.

Thanks and cheers, — brad

PS. As a worcester transplant to boston, i am really jealous i don’t live
closer to attend meetings. The topics of late sound outstanding.



Wlug mailing list
Wlug@mail.wlug.org
http://mail.wlug.org/mailman/listinfo/wlug

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.