#StackBounty: #windows #networking #network-shares Cannot see computers on network

Bounty: 50

I have three windows 10 machines on a network, on the same default network WORKGROUP.

One of them can see all three, call it Media-PC. The other two can only see each other but not Media-PC, call them desktop-1 & desktop-2.

I have turned on the following services, DNS Client, Function Discovery, SSDP Discovery & UPnP Service. Network discovery is running on all three machines. I can ping all three computers from each other.

I cannot figure out why desktop-1 & 2 can’t see Media-PC. Media-PC can see them but they can only see each other.

Hope someone can help me with this.


Get this bounty!!!

#StackBounty: #networking #server #ethernet #dhcp Networking unreachable with Ubuntu 16.10 Server and J3455B-ITX

Bounty: 50

I have a fresh install of Ubuntu 16.10 (with kernel 4.8) and the network isn’t connecting (via Ethernet). The machine is a new J3455B-ITX mobo/CPU combo.

Here’s what ifconfig shows:

enp1s0: ///
lo: ///

My /etc/network/interfaces file looks like this:

auto lo
iface lo inet loopback
#
auto enp1s0
iface enp1s0 inet dhcp
netmask 255.255.255.0

Here’s the output of services networking status:

Active: failed (Result: timeout)
Starting Raise networking interfaces...
waiting for lock on /run/network/ifstate.enp1s0
networking.service start operation timed out. terminating.
Failed to start Raise network interfaces

I’m stumped. Any ideas?


Get this bounty!!!

#StackBounty: #networking #windows-10 #bandwidth Windows network bandwidth issue

Bounty: 50

We have a computer (running Windows 10) with 5 ethernet ports (each 1 Gb), two of them are built-in, the other three are on two PCIe cards. Four of the ethernet ports have in total six cameras plugged into them (with two switches, so no port handles more than two cameras at once). The system was originally designed to run distributed over several computers because the cameras send uncompressed images, so there is a service running (originally on each computer) that grabs the frames and hands them over to a recording/display program (now in a compressed format).

When the system is running, the four ethernet ports are way below their theoretical limit:
enter image description here

On the other hand, when looking at the service handling the incoming traffic, I see 99% usage (it was 100% but I set all cards to gigabit full duplex, than it dropped to 99%) while the actual usage is pretty much the sum of the four incoming traffics:

enter image description here

As you can see, memory and cpu usage is very low, and the 800 Mb/s speed should be WAY below the capacity of the network, yet it shows 100% and the capturing program functions as if it were having serious bandwidth issues. Downscaling to four cameras (and around 600 Mb/s total) restores behaviour.

The strangest thing of all, is that for a few trials the six cameras in total were working perfectly, so my feeling is that Windows 10 is somehow thinking we only have 1000 Mb/s bandwidth and is trying to limit usage which somehow kicked in later.

What am I missing?

Hardware (edit)

Motherboard: GA-X99-Designare EX

Devices listed in device manager:

  • Intel Ethernet Connection (2) I218-V
  • Intel I211 Gigabit Network Connection
  • Intel PRO/1000 PT Dual Port Server Adapter
  • Intel PRO/1000 PT Dual Port Server Adapter #2
  • Realtek PCIe GBE Family Controller

Two PCIe NICs:

  • TP LINK TG-3468
  • GigE Card PCIe Intel PRO/1000 PT Dual Port Server Adapter


Get this bounty!!!

#StackBounty: #linux #networking #firewall netfilter TCP/UDP conntrack RELATED state with ICMP / ICMPv6

Bounty: 50

Netfilter connection tracking is designed to identify some packets as “RELATED” to a conntrack entry.

I’m looking to find the full details of TCP and UDP conntrack entries, with respect to ICMP and ICMPv6 error packets.

Specific to IPv6 firewalling, RFC 4890 clearly describes the ICMPv6 packets that shouldn’t be dropped

http://www.ietf.org/rfc/rfc4890.txt

4.3.1. Traffic That Must Not Be Dropped

Error messages that are essential to the establishment and maintenance
of communications:

Destination Unreachable (Type 1) - All codes

Packet Too Big (Type 2)

Time Exceeded (Type 3) - Code 0 only

Parameter Problem (Type 4) - Codes 1 and 2 only

Appendix A.4 suggests some more specific checks that could be performed on Parameter Problem messages if a firewall has the

necessary packet inspection capabilities.

Connectivity checking messages:

Echo Request (Type 128)

Echo Response (Type 129)

For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be possible, it is essential that the connectivity checking messages are

allowed through the firewall. It has been common practice in IPv4
networks to drop Echo Request messages in firewalls to minimize the
risk of scanning attacks on the protected network. As discussed in
Section 3.2, the risks from port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
messages.

4.3.2. Traffic That Normally Should Not Be Dropped

Error messages other than those listed in Section 4.3.1:

Time Exceeded (Type 3) - Code 1
    Parameter Problem (Type 4) - Code 0

In the case of a linux home router, is the following rule sufficient to protect the WAN interface, while letting through RFC 4890 ICMPv6 packets? (ip6tables-save format)

*filter
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Addendum:
of course, one needs other rules for NDP and DHCP-PD:

-A INPUT -s fe80::/10 -d fe80::/10 -i wanif -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/10 -d fe80::/10 -i wanif -p udp -m state --state NEW -m udp --sport 547 --dport 546 -j ACCEPT

In other terms, can I safely get rid of the following rules to comply with RFC 4980, keeping only the “RELATED” rule first?

-A INPUT -i wanif -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type ttl-exceeded -j ACCEPT
-A INPUT -i wanif -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT


Get this bounty!!!

#StackBounty: #linux #networking #centos #vpn #ipsec ipsec site to site vpn sometimes not work

Bounty: 100

I have a problem with ipsec(strongswan) site to site vpn on CentOS (Linux).

I have 2 tunnel in my network

Security Associations (2 up, 0 connecting):
gateway-second[2]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-second{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c016f8d5_i 0e88a657_o
gateway-second{2}:   10.10.20.1/32 === 10.5.30.144/32
gateway-first[1]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-first{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd51497c_i 118e08a0_o
gateway-first{1}:   10.10.21.1/32 === 10.5.31.26/32

So my question is, sometimes when i restart vpn server traffic going to tunnel, but sometimes not.. it very strange and i not know what search about it. Maybe you know ?

This is my ipsec.conf

conn myikesettings
  keyexchange=ikev2
  authby=secret
  left=%defaultroute
  right=XX.XX.XXX.XX
  type=tunnel
  ike=aes256-sha256-modp1024!
  esp=aes256-sha1!
  keyingtries=3
  ikelifetime=86400s
  lifetime=36000
  pfs=no
  closeaction=hold
conn gateway-first
  leftid=10.10.21.1
  leftsubnet=10.10.21.1/32
  rightsubnet=10.5.31.26/32
  also=myikesettings
  auto=start
conn gateway-second
  leftid=10.10.20.1
  leftsubnet=10.10.20.1/32
  rightsubnet=10.5.30.144/32
  also=myikesettings
  auto=start

— charon.log —

Apr  7 20:30:14 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr  7 20:30:14 00[CFG] loaded IKE secret for XX.XX.XX.XXX YY.YY.YYY.YY
Apr  7 20:30:14 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Apr  7 20:30:14 00[JOB] spawning 16 worker threads
Apr  7 20:30:14 06[CFG] received stroke: add connection 'gateway-second'
Apr  7 20:30:14 06[CFG] added configuration 'gateway-second'
Apr  7 20:30:14 07[CFG] received stroke: initiate 'gateway-second'
Apr  7 20:30:14 07[IKE] <gateway-second|1> initiating IKE_SA gateway-second[1] to YY.YY.YYY.YY
Apr  7 20:30:14 07[ENC] <gateway-second|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 07[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 09[CFG] received stroke: add connection 'gateway-first'
Apr  7 20:30:14 09[CFG] added configuration 'gateway-first'
Apr  7 20:30:14 11[CFG] received stroke: initiate 'gateway-first'
Apr  7 20:30:14 11[IKE] <gateway-first|2> initiating IKE_SA gateway-first[2] to YY.YY.YYY.YY
Apr  7 20:30:14 11[ENC] <gateway-first|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 11[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 13[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 13[ENC] <gateway-second|1> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received FRAGMENTATION vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> authentication of '10.10.21.1' (myself) with pre-shared key
Apr  7 20:30:14 13[IKE] <gateway-second|1> establishing CHILD_SA gateway-second
Apr  7 20:30:14 13[ENC] <gateway-second|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 13[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 15[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 15[ENC] <gateway-first|2> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received FRAGMENTATION vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> authentication of '10.10.20.1' (myself) with pre-shared key
Apr  7 20:30:14 15[IKE] <gateway-first|2> establishing CHILD_SA gateway-first
Apr  7 20:30:14 15[ENC] <gateway-first|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 15[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 05[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 05[ENC] <gateway-second|1> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 05[IKE] <gateway-second|1> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 05[IKE] <gateway-second|1> IKE_SA gateway-second[1] established between XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 05[IKE] <gateway-second|1> scheduling reauthentication in 85478s
Apr  7 20:30:14 05[IKE] <gateway-second|1> maximum IKE_SA lifetime 86018s
Apr  7 20:30:14 05[IKE] <gateway-second|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 05[IKE] <gateway-second|1> CHILD_SA gateway-second{1} established with SPIs c341bc05_i d8e034cf_o and TS 10.10.21.1/32 === 10.5.31.26/32
Apr  7 20:30:14 04[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 04[ENC] <gateway-first|2> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 04[IKE] <gateway-first|2> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 04[IKE] <gateway-first|2> IKE_SA gateway-first[2] established between XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 04[IKE] <gateway-first|2> scheduling reauthentication in 85371s
Apr  7 20:30:14 04[IKE] <gateway-first|2> maximum IKE_SA lifetime 85911s
Apr  7 20:30:14 04[IKE] <gateway-first|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 04[IKE] <gateway-first|2> CHILD_SA gateway-first{2} established with SPIs cc5c14b6_i d89a3328_o and TS 10.10.20.1/32 === 10.5.30.144/32


Get this bounty!!!

#StackBounty: #pi-3 #networking #boot #dhcp Issues with PXE boot with RPi 3B – no TFTP RRQ made

Bounty: 100

I’ve been running into issues trying to get a RPi 3B PXE booting – the Pi doesn’t appear to make any TFTP request once it receives a DHCP response, but instead remakes the BOOTP request. This might indicate that it thinks the response is invalid in some way?

I have a DHCP server on 192.168.2.1 (Kea DHCP), and a TFTP server on a different host (192.168.2.2). I can manually pull files from the TFTP server, and see that in the TFTP log. I’m aware that I’ve got to set option 60 to PXEClient, option 67 to the TFTP address and option 43 should contain Raspberry Pi Boot. Using dhcpdump -i eth0.2 -h b8:27:eb:bf:db:dd, this is the DHCP response being sent. Any obvious issues that would cause the Pi to reject it?

  TIME: 2018-04-03 18:10:15.501    
    IP: 0.0.0.0 (b8:27:eb:bf:db:dd) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)                                                                                                                                                                      
    OP: 1 (BOOTPREQUEST)          
 HTYPE: 1 (Ethernet)                  
  HLEN: 6                   
  HOPS: 0            
   XID: 26f30339                    
  SECS: 0             
 FLAGS: 0                  
CIADDR: 0.0.0.0           
YIADDR: 0.0.0.0           
SIADDR: 0.0.0.0                          
GIADDR: 0.0.0.0
CHADDR: b8:27:eb:bf:db:dd:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         1 (DHCPDISCOVER)
OPTION:  55 ( 12) Parameter Request List     43 (Vendor specific info)
                                             60 (Vendor class identifier)
                                             67 (Bootfile name)
                                            128 (???)
                                            129 (???)
                                            130 (???)
                                            131 (???)
                                            132 (???)
                                            133 (???)
                                            134 (???)
                                            135 (???)
                                             66 (TFTP server name)

OPTION:  93 (  2) Client System             0000             ..
OPTION:  94 (  3) Client NDI                010201           ...
OPTION:  97 ( 17) UUID/GUID                 0044444444444444 .DDDDDDD
                                            4444444444444444 DDDDDDDD
                                            44               D
OPTION:  60 ( 32) Vendor class identifier   PXEClient:Arch:00000:UNDI:002001
---------------------------------------------------------------------------

  TIME: 2018-04-03 18:10:15.502
    IP: 192.168.2.1 (0:4:23:64:7d:c2) > 192.168.2.19 (b8:27:eb:bf:db:dd)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 26f30339
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 192.168.2.19
SIADDR: 192.168.2.2
GIADDR: 0.0.0.0
CHADDR: b8:27:eb:bf:db:dd:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:   3 (  4) Routers                   192.168.2.1
OPTION:   6 (  4) DNS server                192.168.2.1
OPTION:  43 ( 20) Vendor specific info      0112526173706265 ..Raspbe
                                            7272792050692042 rry Pi B
                                            6f6f74ff         oot.
OPTION:  51 (  4) IP address leasetime      4000 (1h6m40s)
OPTION:  53 (  1) DHCP message type         2 (DHCPOFFER)
OPTION:  54 (  4) Server identifier         192.168.2.1
OPTION:  60 (  9) Vendor class identifier   PXEClient
OPTION:  66 ( 11) TFTP server name          192.168.2.2
OPTION:  67 ( 12) Bootfile name             bootcode.bin


Get this bounty!!!

#StackBounty: #linux #networking #amazon-web-services #docker Docker container not accessible after X minutes in AWS

Bounty: 100

I have a docker container (from sonarqube image) running on AWS and it was not remotely accessible. I was able to access only through ssh.

To fix my problem, I need to run this command:

$ sysctl net.ipv4.ip_forward=1

The problem is that after some minutes (of after some event) this flag is reverted back to net.ipv4.ip_forward=0. Something is automatically adding a row in this file:

#-> grep net.ipv4.ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 0

Somebody knows what can be the cause? Maybe is some configuration on AWS?


Get this bounty!!!

#StackBounty: #networking #wireless #network-manager #ethernet #hot-spot Set up autoconnect to hot-spot only when ethernet connection

Bounty: 50

I currently switch between the following two set-ups on a daily basis:

1) Being connected to the internet via a WiFi network.

2) Having my (Ubuntu 16.04) laptop connected to the internet via a wired connection, then sharing this connection with my other devices through the built-in hot-spot functionality of Ubuntu.

At the moment, switching from 1 to 2 requires me to manually go through the “connect to hidden network” dialogue in the Network Manager; similarly switching from 2 to 1 requires me to manually disconnect from the hotspot and connect to the WiFi network. It’s not a lot of work, but I do it often enough that I would like to have it be automated.

It is not as simple as enabling autoconnect for the hotspot, since then it overrides the autoconnect functionality of other networks instead of connecting me to a WiFi network when I am not connected via a wired connection, and I end up with a hot-spot but no internet. So I need a solution which:

  • connects me to the hot-spot whenever I am connected to the internet via a wired connection.
  • disconnects me from the hot-spot when there is no ethernet connection.
  • autoconnects me to one of the networks with autoconnect=true whenever they are available and there is no ethernet connection.

A full explanation on how to do this would be great, but a reference to a good (non-expert) manual for setting up these kinds of rules would also be very much appreciated.


Get this bounty!!!

#StackBounty: #networking #nautilus #17.10 #scanner #shared-folders Network folder setup problem

Bounty: 50

i feel like i’m struggling massively with something that should be simple.

I need to give my scanner (hp color laserjet pro m477fdw, all-in-one machine) access to a shared folder on my ubuntu machine.

The settings are on the printer itself and the menu is accessed by entering it’s ip-adress in my browser like one would access a router/modem.

All the printer needs to know is the correct (complete) pathway and username and password so it can save the documents over the network on my pc.

To make it simple i shared the folder, although i’m not entirely certain that that is neccessairy.

The scanner does test and save the settings if done correctly, but sofar i haven’t been able to.

So for this there is no need for xsane or simple scan via the pc itself. as all the command are given directly from the scanner itself.

When this works i would like to create a similar access to a shared folder on my linux based asustor-nas but for now my Ubuntu machine has priority!

local ip of the laptop is: 192.168.0.204
local ip of the scanner/printer is :192.168.0.101
location of the shared folder is: Scanned in the folder Documents

the setup in done directly in the scanner itself (not via hplip) so by accessing it through it’s local ip (192.168.0.101)

after entering the parameters it checks the connection via test and save. which only gives the reply:

The test was unsuccessful. Try again.

so not very informative.

als i’m not entirely sure which slash to use or /, always thought was for winsdows and / for linux. but since smb is windows related i’m getting confused, but it is essential.

oh and I let nautilus use the standard settings for the shared folder.

i must add now that i reinstalled ubuntu 17.10 from scratch!
placed a folder with the same name in Documents and created a share.
but wile setting this up i got a error msg.

could not find libpam-smbpass.!

i can’t recall getting that notification when i did it the first time, but am not entirely sure about this.

so i tried to install this from synaptic, but ran into the wayland session bug for synaptic. so logged off and ran x11.

tried to install.. but was nothing to actually install.

then i ran

sudo apt-get remove --purge samba
sudo apt-get install samba
sudo apt-get remove --purge smbclient libsmbclient
sudo apt-get install smbclient libsmbclient

and got no warnings / errors.

oh i also tried to find the full path name in the terminal by:

# pwd
/home/matt/Documents/Scanned

(copy pasted so no type-0)

last few attempts i focessed in these 3 links:
– //192.168.0.101/home/matt/Documents/Scanned
– //192.168.0.101/home/Documents/Scanned
– //192.168.0.101/home/Scanned

i assume it’s using smb protocol, but am not sure of this..
(i read somewhere that it does on windows machines)

anyway i have tried all possible instances of the path with slashed to each side but i can’t seem to get it to actually pass the test and save.

personally i believe the first two steps to solve is to check is there is still an issue with libpam-smbpass or not and also become sure which direction the / or should face.

thanks for any help, and please ask for as much info as needed

Matt 🙂

added:

# touch /home/matt/Documents/Scanned/testing123

it created an empty document named testing123 in the folder.


Get this bounty!!!

#StackBounty: #networking #macos #vpn #dns #ssl sharing internet/vpn with ipfw, can't access google.com over https

Bounty: 50

I am sharing my internet connection / IKEv2 VPN connection over pf via Murus static NAT. My network architecture is as follows:

internet modem -> 
wired router (serving 192.168.1.1/24) -> 
Mac mini (192.168.1.2) -> ((en4) 192.168.2.1  ) ->
airport extreme (192.168.2.2) (DHCP, no NAT, serving 192.168.2.0/24)

I am sharing my internet / vpn connection via en4 to 192.168.2.0/24. Sharing internet works. Sharing the VPN works. I am doing DNS resolution on the router and not forwarding DNS requests through pf.

static nat via murus

However, certain sites (namely https://google.com) will not load. Other https sites will. ping google.com works fine on client and server. It resolves to different ip addresses on each, although both connections are behind the same VPN and use the same DNS servers.

curl google.com of course yields a 301. curl https://google.com works fine on the server, but curl -v https://google.com on the client yields the following if you wait long enough:

 stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

The browser just times out. Both are running LibreSSL 2.2.7.

Wireshark output for the client and its preferred Google IP is pretty colorful, although unintelligible:

enter image description here

Strangely enough, the Safari browser seems to be using the server’s Google IP and doesn’t show up in this filter (this is from a curl request.)

I have had this working in the past, and am trying again with a different router and one less layer of NAT. I can’t say it’s always been snarl-free, but I was definitely able to browse sites like google.com with the shared VPN connection.

It should be noted that turning off the VPN causes the shared internet connection to work just fine.

What next steps do I need to take to figure out why some https connections don’t work, and to get this network fully functional?


Get this bounty!!!