Unfortunately, we had to roll back to 1.231 today. 1.3b2 isn't ready
for prime time yet, at least as far as ICMP and UDP traffic are
concerned. In addition to the issues listed in my original email, we
had these issues:
1. Our NMS system was unable to communicate via SNMP (UDP 161) to a few
devices on the inside leg of our Monowall. We have a very simple rule
set, so we are certain that it was not an error in the firewall rules
that caused this issue. This problem only occurred when attempting to
communicate to three switches on the subnet. Our NMS could successfully
communicate to 13 access points and 10 switches via SNMP, but not the
last three. The firewall log showed that the replies from these devices
were being blocked by the Monowall. Traces ran on the NMS itself showed
that no packets were being received. This was a really strange issue.
(Yes, we are running a captive portal, but IP Pass-through is enabled
for anything destined to our NMS IP address.)
2. An application (ping plotter) running continuous traceroutes (ICMP)
through Monowall was having periods of packet loss at hops beyond
Monowall. Initially, I thought we were having packet loss at this hop.
This application graphs the results and these graphs looked as though
packets were being dropped at regular intervals at this third hop beyond
Monowall. (All packets would make it for about 10 seconds, then all
packets would be dropped for about 10 seconds.) Oddly, the firewall log
showed that these icmp packets were being dropped at similar intervals.
3. A captive portal user uses the Cisco VPN client to connect to their
corporate network. This VPN client used UDP 4500 (I believe) to
initiate the connection. Even though no rules existed which would block
this traffic, it was being blocked from going out at the firewall (and
I loaded version 1.231 and all these issues disappeared without any
further configuration changes.
From: Paul Taylor [mailto:PaulTaylor at winn dash dixie dot com]
Sent: Thursday, April 12, 2007 1:15 AM
To: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: [m0n0wall-dev] FreeBSD 6 beta possible bug w/ per-user
We've just loaded the voucher version of 1.3b2 on our production
Monowall and are encountering a few minor issues.
1. With "Enable per-user bandwidth restriction" enabled, the Captive
Portal Status screen shows "0 bytes" in the Download column at all times
for each user that logs in. The Upload column increments normally as
the user uses the captive portal. With the per-user option unchecked,
the Download column increments as expected.
2. "Enable per-user bandwidth restriction" only appears to work on the
upload setting. In our case, both upload and download were set to 512.
A visit to speedtest.net results in close to 512K uploads, but the
downloads are on the order of 9 Megabit (which is the top end of our
traffic shaping setting).
We loaded another test machine with the 1.3b2 release of Monowall
(without the voucher patch) and it seems to exhibit similar symptoms
(though we haven't been able to verify #2 yet due to some technical
issues). I believe that these issues are related though.
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch