Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message news:<401a24ea@news.maxnet.co.nz>...
> Dan Bent <dbent@benefit-systems.com> wrote:
>
> > $ traceroute 10.0.1.251
> > traceroute to 10.0.1.251 (10.0.1.251), 64 hops max, 40 byte packets
> > 1 localhost (127.0.0.1) 0.745 ms 0.618 ms 0.235 ms
> > 2 localhost (127.0.0.1) 0.620 ms 0.642 ms 0.400 ms
> > 3 localhost (127.0.0.1) 0.507 ms 0.735 ms 0.494 ms
> > 4 localhost (127.0.0.1) 0.614 ms 0.859 ms 0.402 ms
> > 5 localhost (127.0.0.1) 0.477 ms 0.947 ms 0.681 ms
> > 6 localhost (127.0.0.1) 0.767 ms 1.8 ms 0.857 ms
> > 7 localhost (127.0.0.1) 1.13 ms 1.142 ms 0.904 ms
> > 8 localhost (127.0.0.1) 0.974 ms 1.164 ms^C
>
> > Routing table on firewall looks like this:
>
> > 127.0.0.0 localhost UG <--- Here is your problem
> > localhost localhost UH
>
> These route entries are saying "to get to localhost, send your packet
> via localhost", ergo you have a routing loop.
>
> You seem to have a lot of route entries. Are you using a routing
> protocol, or doing this by hand.
>
> I'm not familiar with OpenBSD, so I'm not entirely certain what that
> would normally say, but I would normally expect it to say something like
> the following (from my Linux box, I should get by FreeBSD box going
> again)
>
> $ /sbin/route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 10.18.0.1 0.0.0.0 UG 0 0 0 eth0
>
> You will notice that there are NO entries mentioning the device lo, or
> the anything in 127.0.0.0/8.

There are a lot of route table entries on the firewall, because
there's a route for each of the machines on the network that use the
firewall as their internet gateway. The routing table is built
automatically, I have not done any manual manipulation.

I would agree that the traceroute results show a routing loop, where
the machine keeps routing the packets to itself, when I'd like it to
be looking for 10.0.1.251. However, I'm not sure how to resolve that.

There's another interesting wrinkle that has developed as I try to
work this out. I cannot ping the inside of the firewall (10.0.1.254)
from the webserver, and I cannot ping the webserver from the firewall.
I can ping both interfaces from other machines on the network.