Date: Sat, 14 Dec 2019 17:35:37 -0500 From: "John W. O'Brien" <john@saltant.com> To: bsd-lists@BSDforge.com Cc: FreeBSD Networking <freebsd-net@freebsd.org> Subject: Re: NAT64 return traffic vanishes after successful de-alias Message-ID: <b5b775af-1e39-8a8e-ae95-e66efaf4c318@saltant.com> In-Reply-To: <2401399a05f75fa4b78f4d66c67c9e97@udns.ultimatedns.net> References: <2401399a05f75fa4b78f4d66c67c9e97@udns.ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4
Content-Type: multipart/mixed; boundary="3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ"
--3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 2019/12/14 17:15, Chris wrote:
> On Sat, 14 Dec 2019 14:54:26 -0500 John W. OBrien john@saltant.com said=
>=20
>> Hello FreeBSD Networking,
>>
>> As the subject summarizes, I have a mostly-working NAT64 rig, but retu=
rn
>> traffic is disappearing, and I haven't been able to figure out why. I
>> observe the post-translation (4-to-6) packets via ipfwlog0, but a simp=
le
>> ipfw counter rule ipfw matches nothing.
>>
>> My attempt to develop a minimum reproducible example failed in the sen=
se
>> that I did not reproduce the problem. Of course, this implies that one=
>> of the many differences between the simplified test (EC2 instance, two=
>> jails) and the problem rig (physical server, lagg, vlans, other things=
>> going on) is the cause.
>>
>> What I am hoping this list can help me with is being smart about what =
I
>> try next. Otherwise, I would probably just try to brute force a soluti=
on
>> by thinking of ways to permute the config that would rule each possibl=
e
>> difference in or out.
>>
>> So far my main troubleshooting tools have been ipfw for its rule
>> counters and nat64lsn stats output, netstat to look at fibs, and tcpdu=
mp
>> pointed at real and diagnostic interfaces. What debugging tools and
>> techniques should I employ to do better than brute force?
>>
>> If it would help, I would gladly share the working, EC2/jail demo
>> configs on the list. Sharing the non-working configs I would prefer to=
>> do privately or not at all.
>>
>> This is on 12.1-RELEASE.
>>
>> Thank you,
>=20
> pf(4) is pretty close to metal, and would probably be a good candidate =
for
> acquiring the type of statistics your hoping to find; pfctl(8), pfctl -=
s,
> and pfctl -T are a few examples.
Hi Chris,
Thank you for the suggestion. I think I need a little help understanding
how I would put it into practice though. The nat64lsn module is part of
the ipfw firewall, and pf in FreeBSD hasn't yet picked up a NAT64
capability, so I cannot abandon ipfw in this case. Is the idea to run
ipfw and pf at the same time?
--=20
John W. O'Brien
OpenPGP keys:
0x33C4D64B895DBF3B
--3gUBQze92IdzxAX9WNuhPK2Mcl6sMjicJ--
--lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEKpEHkkRoSDiIJkQOWPtK56pP/m4FAl31Y7oACgkQWPtK56pP
/m7/2Af7BHL+F9yLrieF3i3AQRPHvGz/QtkkOAdXg1nn2v4IsmJY2mIsfvQLb12u
mcZhmSW25TkQptur/L4U3p/+7K4EhseH1rzMbstalzI01M7KVkmlu3dVM/QFL6kf
b0kuQ0XOYNGn9WQMGvmZD1Z46hRRhNLxUZ8bRJoXRCnLNAKoF7qsn56lyL8sf6jB
oEE17Zj6YCi9tRfF0KOepjenI0fxuCS2Fcn6Rled8E8wj7WDd6q27dQ41HM0U15y
p6coOUNHd/rncnFoQAX8oGJHEheIkjI3vAmWYtmwND3HOKaEAZE5dNWhVAmvW3Uj
cQH/sYA5wKwTqaWwn64g/X0V66y60g==
=79JF
-----END PGP SIGNATURE-----
--lUZEI2Au6YMZk3rx4mk0MSNsKSkamfFn4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b5b775af-1e39-8a8e-ae95-e66efaf4c318>