Date: Sat, 14 Dec 2019 17:35:37 -0500 From: "John W. O'Brien" <john@saltant.com> To: bsd-lists@BSDforge.com Cc: FreeBSD Networking <freebsd-net@freebsd.org> Subject: Re: NAT64 return traffic vanishes after successful de-alias Message-ID: <b5b775af-1e39-8a8e-ae95-e66efaf4c318@saltant.com> In-Reply-To: <2401399a05f75fa4b78f4d66c67c9e97@udns.ultimatedns.net> References: <2401399a05f75fa4b78f4d66c67c9e97@udns.ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4 Content-Type: multipart/mixed; boundary="3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ" --3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2019/12/14 17:15, Chris wrote: > On Sat, 14 Dec 2019 14:54:26 -0500 John W. OBrien john@saltant.com said= >=20 >> Hello FreeBSD Networking, >> >> As the subject summarizes, I have a mostly-working NAT64 rig, but retu= rn >> traffic is disappearing, and I haven't been able to figure out why. I >> observe the post-translation (4-to-6) packets via ipfwlog0, but a simp= le >> ipfw counter rule ipfw matches nothing. >> >> My attempt to develop a minimum reproducible example failed in the sen= se >> that I did not reproduce the problem. Of course, this implies that one= >> of the many differences between the simplified test (EC2 instance, two= >> jails) and the problem rig (physical server, lagg, vlans, other things= >> going on) is the cause. >> >> What I am hoping this list can help me with is being smart about what = I >> try next. Otherwise, I would probably just try to brute force a soluti= on >> by thinking of ways to permute the config that would rule each possibl= e >> difference in or out. >> >> So far my main troubleshooting tools have been ipfw for its rule >> counters and nat64lsn stats output, netstat to look at fibs, and tcpdu= mp >> pointed at real and diagnostic interfaces. What debugging tools and >> techniques should I employ to do better than brute force? >> >> If it would help, I would gladly share the working, EC2/jail demo >> configs on the list. Sharing the non-working configs I would prefer to= >> do privately or not at all. >> >> This is on 12.1-RELEASE. >> >> Thank you, >=20 > pf(4) is pretty close to metal, and would probably be a good candidate = for > acquiring the type of statistics your hoping to find; pfctl(8), pfctl -= s, > and pfctl -T are a few examples. Hi Chris, Thank you for the suggestion. I think I need a little help understanding how I would put it into practice though. The nat64lsn module is part of the ipfw firewall, and pf in FreeBSD hasn't yet picked up a NAT64 capability, so I cannot abandon ipfw in this case. Is the idea to run ipfw and pf at the same time? --=20 John W. O'Brien OpenPGP keys: 0x33C4D64B895DBF3B --3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ-- --lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEKpEHkkRoSDiIJkQOWPtK56pP/m4FAl31Y7oACgkQWPtK56pP /m7/2Af7BHL+F9yLrieF3i3AQRPHvGz/QtkkOAdXg1nn2v4IsmJY2mIsfvQLb12u mcZhmSW25TkQptur/L4U3p/+7K4EhseH1rzMbstalzI01M7KVkmlu3dVM/QFL6kf b0kuQ0XOYNGn9WQMGvmZD1Z46hRRhNLxUZ8bRJoXRCnLNAKoF7qsn56lyL8sf6jB oEE17Zj6YCi9tRfF0KOepjenI0fxuCS2Fcn6Rled8E8wj7WDd6q27dQ41HM0U15y p6coOUNHd/rncnFoQAX8oGJHEheIkjI3vAmWYtmwND3HOKaEAZE5dNWhVAmvW3Uj cQH/sYA5wKwTqaWwn64g/X0V66y60g== =79JF -----END PGP SIGNATURE----- --lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b5b775af-1e39-8a8e-ae95-e66efaf4c318>