evdo on server: clients can ping www, but not browse

[amorphousone]

i connected my server to the internet using a novatel u727.
clients can ping google, but when surfing the status stops at "waiting for google.com".
it looks to me like i can send but not receive packets.

packet forwarding and filtering are enabled.

prior to this experiment:

internet-----dc0(ext_if)------>re0(int_if)-----switch------clients

i was expecting to simply change "dc0" to "tun0" in my pf.conf, then just:

Code:

# ppp -ddial sprint ; pfctl -d ; pfctl -e

and have everything more or less work the same.

i read in the tun manpage:

Quote:

Both layer 3 and layer 2 tunneling is supported. Layer 3 tunneling is
the default mode; to enable layer 2 tunneling mode the link0 flag needs
to be set with ifconfig(8), or by setting up a hostname.if(5) configura-
tion file for netstart(8). In layer 2 mode the tun interface is simulat-
ing an Ethernet network interface.

and thought maybe this was my problem, that tun0 was defaulting to a layer 3 tunnel 9or is this barking up the wrong tree?), so i attempted to set a link0 flag a la:

Code:

# ifconfig tun0 link0

but then ifconfig tun0 shows the connection's been dropped (NO CARRIER).
the next sentence in man tun is:

Quote:

...Note that setting or unsetting the link0 flag causes tun to
lose any configuration settings, and that it is not advisable to use the
flag with any other parameters.

but i thought i was following this advice. is the order of operation backwards? should it be:

Code:

# ifconfig tun0 link0 ;  ppp -ddial sprint

my pf.conf is 99% from the faq soho example:

Code:

# macros

ext_if="tun0" # Novatel U727 via Sprint
#ext_if="dc0" # On-board card
#int_if="ral0" # Wireless access point
int_if="re0" # Realtek gigabit card
tcp_services="{ 22, 113 }"
icmp_types="echoreq"

# options

set block-policy return
set loginterface $ext_if
set skip on lo

# FTP proxy rules

anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
rdr-to 127.0.0.1 port 8021

# match rules

match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules

block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if

packet forwarding is on:

Code:

# grep \^net /etc/sysctl.conf  
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

ppp.conf:

Code:

default:
    set log Phase Chat LCP IPCP CCP tun command

sprint:
    set device /dev/cuaU0
    set speed 230400
    set dial "ABORT NO\\sCARRIER ABORT BUSY TIMEOUT 15 \
\"\" ATZ OK ATQ0V1E1S0=0&C1&D2+FCLASS=0 OK \
ATDT#777 CONNECT"
    set login
    set timeout 0
    enable dns
    add default HISADDR
    set ifaddr 0 0 0

any advice?