RE: NAT (ipfw/natd) broken in latest -CURRENT
- From: Joe Marcus Clarke <marcus@xxxxxxxxxxx>
- Date: Thu, 18 Dec 2008 17:02:25 -0500
On Thu, 2008-12-18 at 12:53 -0800, Li, Qing wrote:
Hi Joe,
I have been trying to recreate your problem but my setup seem to
work. I then noticed in your original netstat output the p2p
host route installed by the tunnel interface has the "G" flag
set. This will certainly cause a routing problem because that
route is not an indirect route. I modified the kernel code to simulate
this condition and I do see the error on output, which is expected.
I assume this problem is consistently reproducible in your setup ?
Absolutely. Every time I setup the p2p tunnel with the non-proxy ARP
address range. Traffic flows outbound, but never inbound. Your
analysis sounds correct. The kernel doesn't know the interface on which
to encapsulate the return traffic.
Joe
--
-- Qing
-----Original Message-----now
From: owner-freebsd-current@xxxxxxxxxxx [mailto:owner-freebsd-
current@xxxxxxxxxxx] On Behalf Of Joe Marcus Clarke
Sent: Tuesday, December 16, 2008 5:20 PM
To: current
Subject: NAT (ipfw/natd) broken in latest -CURRENT
I just upgraded my i386 -CURRENT box from November 14 to today, and
my SSH-over-PPP VPN tunnel no longer works. I did some packetcaptures,
and it appears that NAT is no longer working. If I send a telnet
packet
from my client side over the PPP tunnel, I see the SYN go out on the
server side network properly translated. The destination host ACKs
correctly, but the ACK never goes back across the tunnel. It's as if
natd is no longer translating the packet on the inbound path. Besides
the upgrade, nothing has changed in my environment.
My ipfw show looks like:
00050 22974 4677637 divert 8668 ip4 from any to any via em0
00100 194 20696 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 24714 4934785 allow ip from any to any
65535 5 396 deny ip from any to any
I am running natd as:
/sbin/natd -s -m -skinny_port 2000 -n em0
The ifconfig for my tunnel interface is:
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1300
inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00
inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5
Opened by PID 8018
My netstat on the server side looks like:
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 172.18.254.1 UGS 0 46685 em0
10.1.1.76 link#5 UGH 0 1735 tun0
127.0.0.1 link#3 UH 0 1171 lo0
172.18.254.0/24 link#1 U 0 0 em0
172.18.254.237/32 link#1 U 0 8 em0
The server's uname is:
FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue
Dec 16 15:42:09 EST 2008
marcus@xxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/JCLARKE-PC i386
The previous, working uname was:
FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008
marcus@xxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/JCLARKE-PC
Joe
--
Joe Marcus Clarke
FreeBSD GNOME Team :: gnome@xxxxxxxxxxx
FreeNode / #freebsd-gnome
http://www.FreeBSD.org/gnome
Joe Marcus Clarke
FreeBSD GNOME Team :: gnome@xxxxxxxxxxx
FreeNode / #freebsd-gnome
http://www.FreeBSD.org/gnome
Attachment:
signature.asc
Description: This is a digitally signed message part
- Follow-Ups:
- RE: NAT (ipfw/natd) broken in latest -CURRENT
- From: Li, Qing
- RE: NAT (ipfw/natd) broken in latest -CURRENT
- References:
- NAT (ipfw/natd) broken in latest -CURRENT
- From: Joe Marcus Clarke
- RE: NAT (ipfw/natd) broken in latest -CURRENT
- From: Li, Qing
- NAT (ipfw/natd) broken in latest -CURRENT
- Prev by Date: Re: LOR between nfs and proctree
- Next by Date: Re: (timeout) error during cd fixation
- Previous by thread: RE: NAT (ipfw/natd) broken in latest -CURRENT
- Next by thread: RE: NAT (ipfw/natd) broken in latest -CURRENT
- Index(es):
Relevant Pages
|
