NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: WireGuard + /32 tunnel endpoint: incoming connections unreachable on NetBSD was: Wireguard woes
El 25/1/26 a las 10:16, J. Hannken-Illjes escribió:
Ramiro,
as you do not mention any sysctl settings -- do you have these entries in /etc/sysctl.conf:
net.inet.ip.forwarding=1
net.inet.ip.redirect=0
Do you see redirects from netstat -s?
--
J. Hannken-Illjes - hannken%mailbox.org@localhost
Hello,
Thanks for answering:
I have the following default sysctl values, opposite settings to the
settings you posted:
netbsd-raspaZeroW# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 0
netbsd-raspaZeroW# sysctl net.inet.ip.redirect
net.inet.ip.redirect = 1
netbsd-raspaZeroW# netstat -s -I wg0
wg0 1380 <Link> 144 0 11
0 0
wg0 1380 44.27.132.76/ 44.27.132.76 144 0 11
0 0
wg0 1380 fe80::/64 fe80::ba27:ebff:f 144 0 11
0 0
wg0 1380 fe80::644d:cf fe80::644d:cf7a:c 144 0 11
0 0
netbsd-raspaZeroW#
netbsd-raspaZeroW# netstat -s
icmp:
12 calls to icmp_error
0 errors not generated because old message was icmp
Output histogram:
echoreply: 1
unreach: 12
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
0 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
echoreply: 31
echo: 1
1 message response generated
0 path MTU changes
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
2 membership reports sent
tcp:
6747 packets sent
6670 data packets (347061 bytes)
0 data packets (0 bytes) retransmitted
71 ack-only packets (6225 delayed)
0 URG only packets
0 window probe packets
2 window update packets
4 control packets
0 send attempts resulted in self-quench
6869 packets received
6255 acks (for 346984 bytes)
0 duplicate acks
0 acks for unsent data
6273 packets (255397 bytes) received in-sequence
0 completely duplicate packets (0 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
5 out-of-order packets (144 bytes)
0 packets (0 bytes) of data after window
0 window probes
0 window update packets
0 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
2 connection requests
1 connection accept
3 connections established (including accepts)
67 connections closed (including 0 drops)
0 embryonic connections dropped
0 delayed frees of tcpcb
6257 segments updated rtt (of 6194 attempts)
0 retransmit timeouts
0 connections dropped by rexmit timeout
0 persist timeouts (resulting in 0 dropped connections)
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
43 correct ACK header predictions
150 correct data packet header predictions
261 PCB hash misses
128 dropped due to no socket
0 connections drained due to memory shortage
0 PMTUD blackholes detected
1 bad connection attempt
3 SYN cache entries added
0 hash collisions
1 completed
0 aborted (no space to build PCB)
2 timed out
0 dropped due to overflow
0 dropped due to bucket overflow
0 dropped due to RST
0 dropped due to ICMP unreachable
1 delayed free of SYN cache entries
8 SYN,ACKs retransmitted
0 duplicate SYNs received for entries already in the cache
0 SYNs dropped (no route or no space)
0 packets with bad signature
0 packets with good signature
0 successful ECN handshakes
0 packets with ECN CE bit
0 packets ECN ECT(0) bit
udp:
362 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
12 dropped due to no socket
0 broadcast/multicast datagrams dropped due to no socket
0 dropped due to full socket buffers
350 delivered
333 PCB hash misses
255 datagrams output
ip:
7265 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped (out of ipqent)
0 malformed fragments dropped
0 fragments dropped after timeout
0 packets reassembled ok
7265 packets for this host
0 packets for unknown/unsupported protocol
0 packets forwarded (0 packets fast forwarded)
0 packets not forwardable
0 redirects sent
0 packets no matching gif found
0 packets no matching ipsecif found
7137 packets sent from this host
32 packets sent with fabricated ip header
3 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 datagrams with bad address in header
0 input packets dropped by pfil
0 output packets dropped by pfil
0 input packets dropped by IPsec
0 output packets dropped by IPsec
0 input packets dropped due to interface state
0 packets dropped due to TTL exceeded
0 output packets dropped (no IP address)
0 output packets discarded due to reject route
0 output packets dropped (broadcast prohibited)
carp:
0 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 packets discarded for bad checksum
0 packets discarded with a bad version
0 discarded because packet was too short
0 packets discarded for bad authentication
0 packets discarded for bad vhid
0 packets discarded because of a bad address list
0 packets sent (IPv4)
0 packets sent (IPv6)
0 send failed due to mbuf memory error
ipsec:
0 no SA found (output)
0 no memory available (output)
0 no route available (output)
0 generic errors (output)
0 bundled SA processed (output)
7316 SPD cache lookups
577 SPD cache misses
ah:
0 ah input packets processed
0 ah output packets processed
0 ah headers too short
0 ah headers for unsupported address family
0 ah packets with no SA
0 ah packets dropped by crypto returning NULL mbuf
0 ah packets with bad authentication
0 ah packets with no xform
0 ah packets dropped due to queue full
0 ah packets dropped for replay counter wrap
0 ah packets dropped for possible replay
0 ah packets dropped for bad authenticator length
0 ah packets with an invalid SA
0 ah packets too big
0 ah packets blocked due to policy
0 ah failed crypto requests
0 ah tunnel sanity check failures
ah histogram:
0 ah bytes received
0 ah bytes transmitted
esp:
0 esp input packets processed
0 esp output packets processed
0 esp headers too short
0 esp headers for unsupported address family
0 esp packets with no SA
0 esp packets dropped by crypto returning NULL mbuf
0 esp packets dropped due to queue full
0 esp packets with no xform
0 esp packets with bad ilen
0 esp packets with bad encryption
0 esp packets with bad authentication
0 esp packets dropped for replay counter wrap
0 esp packets dropped for possible replay
0 esp packets with an invalid SA
0 esp packets too big
0 esp packets blocked due to policy
0 esp failed crypto requests
0 esp tunnel sanity check failures
esp histogram:
0 esp bytes received
0 esp bytes transmitted
ipip:
0 ipip total input packets
0 ipip total output packets
0 ipip packets too short for header length
0 ipip packets dropped due to queue full
0 ipip packets blocked due to policy
0 ipip IP spoofing attempts
0 ipip protocol family mismatched
0 ipip missing tunnel-endpoint address
0 ipip input bytes received
0 ipip output bytes processed
ipcomp:
0 ipcomp packets too short for header length
0 ipcomp protocol family not supported
0 ipcomp packets with no SA
0 ipcomp packets dropped by crypto returning NULL mbuf
0 ipcomp queue full
0 ipcomp no support for transform
0 ipcomp packets dropped for replay counter wrap
0 ipcomp input IPcomp packets
0 ipcomp output IPcomp packets
0 ipcomp packets with an invalid SA
0 ipcomp packets decompressed as too big
0 ipcomp packets too short to be compressed
0 ipcomp packet for which compression was useless
0 ipcomp packets blocked due to policy
0 ipcomp failed crypto requests
ipcomp histogram:
0 ipcomp input bytes
0 ipcomp output bytes
ip6:
0 total packets received
0 with size smaller than minimum
0 with data size < data length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 fragments that exceeded limit
0 packets reassembled ok
0 packets for this host
0 packets forwarded
0 packets fast forwarded
0 fast forward flows
0 packets not forwardable
0 redirects sent
15 packets sent from this host
0 packets sent with fabricated ip header
4 output packets dropped due to no bufs, etc.
16 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 packets that violated scope rules
0 multicast packets which we don't join
Mbuf statistics:
0 one mbufs
0 one ext mbufs
0 two or more ext mbufs
0 packets whose headers are not continuous
0 tunneling packets that can't find gif
0 tunneling packets that can't find ipsecif
0 packets discarded due to too many headers
0 failures of source address selection
0 forward cache hit
0 forward cache miss
0 input packets dropped by pfil
0 output packets dropped by pfil
0 input packets dropped by IPsec
0 output packets dropped by IPsec
0 input packets dropped due to interface state
0 input packets dropped due to no bufs, etc.
0 packets dropped due to hop limit exceeded
0 packets dropped (too big)
0 output packets discarded due to reject route
icmp6:
0 calls to icmp6_error
0 errors not generated because old message was icmp6 or so
0 errors not generated because of rate limitation
Output packet histogram:
multicast listener report: 12
neighbor solicitation: 3
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Histogram of error messages to be generated:
0 no route
0 administratively prohibited
0 beyond scope
0 address unreachable
0 port unreachable
0 packet too big
0 time exceed transit
0 time exceed reassembly
0 erroneous header field
0 unrecognized next header
0 unrecognized option
0 redirect
0 unknown
0 message responses generated
0 messages with too many ND options
0 messages with bad ND options
0 bad neighbor solicitation messages
0 bad neighbor advertisement messages
0 bad router solicitation messages
0 bad router advertisement messages
0 router advertisement routes dropped
0 bad redirect messages
0 path MTU changes
tcp6:
6755 packets sent
6678 data packets (355577 bytes)
0 data packets (0 bytes) retransmitted
71 ack-only packets (6226 delayed)
0 URG only packets
0 window probe packets
2 window update packets
4 control packets
0 send attempts resulted in self-quench
6872 packets received
6257 acks (for 349220 bytes)
0 duplicate acks
0 acks for unsent data
6274 packets (255433 bytes) received in-sequence
0 completely duplicate packets (0 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
5 out-of-order packets (144 bytes)
0 packets (0 bytes) of data after window
0 window probes
0 window update packets
0 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
2 connection requests
1 connection accept
3 connections established (including accepts)
67 connections closed (including 0 drops)
0 embryonic connections dropped
0 delayed frees of tcpcb
6259 segments updated rtt (of 6196 attempts)
0 retransmit timeouts
0 connections dropped by rexmit timeout
0 persist timeouts (resulting in 0 dropped connections)
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
43 correct ACK header predictions
150 correct data packet header predictions
261 PCB hash misses
128 dropped due to no socket
0 connections drained due to memory shortage
0 PMTUD blackholes detected
1 bad connection attempt
3 SYN cache entries added
0 hash collisions
1 completed
0 aborted (no space to build PCB)
2 timed out
0 dropped due to overflow
0 dropped due to bucket overflow
0 dropped due to RST
0 dropped due to ICMP unreachable
1 delayed free of SYN cache entries
8 SYN,ACKs retransmitted
0 duplicate SYNs received for entries already in the cache
0 SYNs dropped (no route or no space)
0 packets with bad signature
0 packets with good signature
0 successful ECN handshakes
0 packets with ECN CE bit
0 packets ECN ECT(0) bit
udp6:
0 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
0 with no checksum
0 dropped due to no socket
0 multicast datagrams dropped due to no socket
0 dropped due to full socket buffers
0 delivered
0 datagrams output
ipsec6:
0 no SA found (output)
0 no memory available (output)
0 no route available (output)
0 generic errors (output)
0 bundled SA processed (output)
7319 SPD cache lookups
577 SPD cache misses
ah:
0 ah input packets processed
0 ah output packets processed
0 ah headers too short
0 ah headers for unsupported address family
0 ah packets with no SA
0 ah packets dropped by crypto returning NULL mbuf
0 ah packets with bad authentication
0 ah packets with no xform
0 ah packets dropped due to queue full
0 ah packets dropped for replay counter wrap
0 ah packets dropped for possible replay
0 ah packets dropped for bad authenticator length
0 ah packets with an invalid SA
0 ah packets too big
0 ah packets blocked due to policy
0 ah failed crypto requests
0 ah tunnel sanity check failures
ah histogram:
0 ah bytes received
0 ah bytes transmitted
esp:
0 esp input packets processed
0 esp output packets processed
0 esp headers too short
0 esp headers for unsupported address family
0 esp packets with no SA
0 esp packets dropped by crypto returning NULL mbuf
0 esp packets dropped due to queue full
0 esp packets with no xform
0 esp packets with bad ilen
0 esp packets with bad encryption
0 esp packets with bad authentication
0 esp packets dropped for replay counter wrap
0 esp packets dropped for possible replay
0 esp packets with an invalid SA
0 esp packets too big
0 esp packets blocked due to policy
0 esp failed crypto requests
0 esp tunnel sanity check failures
esp histogram:
0 esp bytes received
0 esp bytes transmitted
ipip:
0 ipip total input packets
0 ipip total output packets
0 ipip packets too short for header length
0 ipip packets dropped due to queue full
0 ipip packets blocked due to policy
0 ipip IP spoofing attempts
0 ipip protocol family mismatched
0 ipip missing tunnel-endpoint address
0 ipip input bytes received
0 ipip output bytes processed
ipcomp:
0 ipcomp packets too short for header length
0 ipcomp protocol family not supported
0 ipcomp packets with no SA
0 ipcomp packets dropped by crypto returning NULL mbuf
0 ipcomp queue full
0 ipcomp no support for transform
0 ipcomp packets dropped for replay counter wrap
0 ipcomp input IPcomp packets
0 ipcomp output IPcomp packets
0 ipcomp packets with an invalid SA
0 ipcomp packets decompressed as too big
0 ipcomp packets too short to be compressed
0 ipcomp packet for which compression was useless
0 ipcomp packets blocked due to policy
0 ipcomp failed crypto requests
ipcomp histogram:
0 ipcomp input bytes
0 ipcomp output bytes
pim6:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 messages received with bad version
0 registers received
0 bad registers received
0 registers sent
rip6:
0 messages received
0 checksum calculations on inbound
0 messages with bad checksum
0 messages dropped due to no socket
0 multicast messages dropped due to no socket
0 messages dropped due to full socket buffers
0 delivered
0 datagrams output
arp:
125 packets sent
64 reply packets
61 request packets
119 packets received
55 reply packets
64 valid request packets
0 broadcast/multicast packets
0 packets with unknown protocol type
0 packets with bad (short) length
0 packets with null target IP address
0 packets with null source IP address
0 could not be mapped to an interface
0 packets sourced from a local hardware address
0 packets with a broadcast source hardware address
0 duplicates for a local IP address
0 attempts to overwrite a static entry
0 packets received on wrong interface
0 entrys overwritten
0 changes in hardware address length
2 packets deferred pending ARP resolution
2 sent
0 dropped
0 failures to allocate llinfo
pfkey:
0 requests sent from userland
0 bytes sent from userland
0 messages with invalid length field
0 messages with invalid version field
0 messages with invalid message type field
0 messages too short
0 messages with memory allocation failure
0 messages with duplicate extension
0 messages with invalid extension type
0 messages with invalid sa type
0 messages with invalid address extension
0 requests sent to userland
0 bytes sent to userland
0 messages toward single socket
0 messages toward all sockets
0 messages toward registered sockets
0 messages with memory allocation failure
netbsd-raspaZeroW#
Thanks.
Ramiro.
Home |
Main Index |
Thread Index |
Old Index