[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Possible bug: LAN redirection via static route
 Date:  Tue, 18 May 2004 01:29:19 +0200 
I have looked closer at the SSH connection between the two hosts. Maybe this 
will give you some more insight as to where the problem is.

Let -M-> indicate traffic being sent through the m0n0wall (and of course 
also the second router later)
Let -O-> indicate traffic being sent through the 192.168.1.254 router 
(without touching the m0n0wall)

So it looks like this

                 m0n0wall
                /        \
               M          M
              /            \
192.168.1.201    <-O->    192.168.1.254  --- 172.16.1.1

ICMP redirects have been sent so my host SHOULD not contact the m0n0wall at 
all. It still does for some strange reason, but that is not the issue here. 
Here is a detailed explaination of what happens:

1.  192.168.1.201 [SYN]     -M-> 172.16.1.1
2.  172.16.1.1    [SYN,ACK] -O-> 192.168.1.201
3.  192.168.1.201 [ACK]     -O-> 172.16.1.1
4.  172.16.1.1    [PSH,ACK] -O-> 192.168.1.201
.
Normal communication here back and forth. No traffic touches the m0n0wall
.
30. 172.16.1.1    [PSH,ACK] -O-> 192.168.1.201
31. 192.168.1.201 [PSH,ACK] -M-> 172.16.1.1

Packet number 31 is dropped by the m0n0wall and the connection hangs.

Could the problem be that the m0n0wall has received a SYN packet for a 
connection from 192.168.1.201, but never an ACK from 172.16.1.1. The next 
packet it sees for that connection is from 192.168.1.201 again, but that 
connection has not been established since from the m0n0walls point of view 
it is still waiting for the ACK from 172.16.1.1 before the connection is 
established?

-Michael