From owner-freebsd-questions@FreeBSD.ORG Sun Aug 12 10:41:07 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5686D106564A for ; Sun, 12 Aug 2012 10:41:07 +0000 (UTC) (envelope-from kuku@kukulies.org) Received: from kukulies.org (mail.kukulies.org [78.47.239.221]) by mx1.freebsd.org (Postfix) with ESMTP id B7F128FC08 for ; Sun, 12 Aug 2012 10:41:06 +0000 (UTC) Received: by kukulies.org (Postfix, from userid 5001) id D1EF51AD860; Sun, 12 Aug 2012 12:41:05 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on kukulies.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 Received: from [192.168.2.103] (p4FD5E7A3.dip.t-dialin.net [79.213.231.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by kukulies.org (Postfix) with ESMTPSA id B28271AD85F for ; Sun, 12 Aug 2012 12:41:04 +0200 (CEST) Message-ID: <5027883E.4000305@kukulies.org> Date: Sun, 12 Aug 2012 12:41:02 +0200 From: "Christoph P.U. Kukulies" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20120810120045.C92A91065691@hub.freebsd.org> <20120811171652.I93465@sola.nimnet.asn.au> In-Reply-To: <20120811171652.I93465@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: weird problem with 9.0 Release and ed0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Aug 2012 10:41:07 -0000 Am 11.08.2012 09:58, schrieb Ian Smith: > In freebsd-questions Digest, Vol 427, Issue 6, Message: 16 > On Fri, 10 Aug 2012 12:39:36 +0200 "Christoph P.U. Kukulies" wrote: > > Am 10.08.2012 11:40, schrieb Christoph P.U. Kukulies: > > > Am 10.08.2012 11:28, schrieb Christoph P.U. Kukulies: > > >> The problem need not to be confined to 9.0. It stated to develop > > >> under 5.1 already. > > > read: started to develop... > > >> > > >> I'm running a natd gateway machine that was developing strange > > >> behaviour such that the > > >> outside interface (ed0, BNC connector) that was connected via a small > > >> media converter switch to > > >> the providers sync line had dropouts. The machine couldn't ping into > > >> the Internet and also couldn't be pinged. > > >> > > >> I first thought it was the switch/media converter, but another > > >> (Windows XP) machine that was on the > > >> same BNC cable worked flawlessly. > > That XP box was directly on the outside, not inside nat'd via this one? Yes, on the same BNC cable/interface. --+------------+--80.72.44.x----+---[SWITCH/BNCtoTP]-----INTERNET------ | | | 80.72.44.228 80.72.44.226 | ed0 | ed0 FreeBSD 5.1 XP Box FreeBSD 9.0 xl0 em0 | | --+-----172.27.x.x------------+----Intranet------------ > > > > >> So I decided to migrate that 5.1 machine to a 9.0 machine. The > > >> situation now is that I have the9.0 machine > > >> at the BNC cable and simultanously the old FreeBSD 5.1 gateway on the > > >> same BNC cable but through a > > >> TP adapter. This was the old machine works fine and I can care about > > >> the new machine. > > Not quite clear .. can you sketch your network configuration? Hope the ascii art doesn't get garbled. > > > >> Is there a known problem with ed0 cards that have the Realtek 8029 > > >> chipset. Do they need some > > >> special flags like memory mapping or irq? > > Long time since I've run anything with 10base2/BNC, but it used to work > ok, on an ed0. > > > >> When I for example boot the 9.0 machine the comping up of the em0 (on > > >> mainboard interface results in a highlighted > > >> kernel message on the console. The coming up of the ed0 is not > > >> flagged this way. And as a result the > > >> ed0 interface seems to be dead. > > Does the outside interface have a static address, or do you use DHCP > via the provider's switch/hub/whatever? Show /etc/rc.conf setup. It > smells a bit like the interface may not be up soon enough at that time; > the ntpd message below could also indicate something like that re ipv6. No DHCP in the game. Everything static. > > > >> Here some excerpts of dmesg: > > >> em0: port 0x4400-0x441f > > >> mem 0x93100000-0x9311ffff,0x93124000-0x93124fff irq 20 at device 25.0 > > >> on pci0 > > >> em0: Using an MSI interrupt > > >> em0: Ethernet address: 00:1c:c0:37:b2:9f > > >> > > >> ed0: port 0x1000-0x101f irq 22 at device 1.0 on pci7 > > >> ed0: Ethernet address: 00:e0:7d:7c:2b:4a > > >> > > >> I also see this: > > >> Jul 30 23:03:54 forum ntpd[1711]: unable to create socket on ed0 (20) > > >> for fe80:: > > >> 2e0:7dff:fe7c:2b4a#123 > > You should get more / better clues if you boot with verbose messages. > > > > Forgot to add this info: > > > > > > ed0: flags=8843 metric 0 mtu 1500 > > > ether 00:e0:7d:7c:2b:4a > > > inet 80.72.44.230 netmask 0xfffffff0 broadcast 80.72.44.239 > > > inet6 fe80::2e0:7dff:fe7c:2b4a%ed0 prefixlen 64 scopeid 0xa > > > nd6 options=29 > > > media: Ethernet autoselect (10base2/BNC) > > > > > > > Must add some more info: > > > > My kernel config: > > > > cpu I486_CPU > > cpu I586_CPU > > cpu I686_CPU > > ident DIVERT > > > > makeoptions DEBUG=-g # Build kernel with gdb(1) debug > > symbols > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=10 > > options IPDIVERT > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > > > (the rest like in GENERIC). > > Just to mention: you don't actually need to include FIREWALL* or DIVERT > in kernels these days; a GENERIC kernel will work fine, loading modules > as needed. Only exception is if you needed FIREWALL_FORWARD, which it > appears you don't. Ah, that's good to know. > > > > Strange thing: > > > > I cannot ping neither the outside interface address nor the inside > > (172.27.2.115) forum2# egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf ### Basic network and firewall/security options: ### ifconfig_em0=" inet 172.27.2.115 netmask 255.255.0.0" ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. ifconfig_ed0="inet 87.79.34.230 netmask 0xfffffff0 " ntpd_enable="NO" natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_program="/sbin/natd" # path to natd, if you want a different one. natd_interface="ed0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. firewall_enable="YES" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="simple" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="YES" # Set to YES to enable events logging gateway_enable="YES" /etc/natd.conf isn't there. but natd is running as /sbin/natd -n ed0 00100 332 117666 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 58395 6512836 allow ip from any to any via em0 00500 0 0 deny ip from 172.27.0.0/16 to any in via ed0 00600 0 0 deny ip from 80.72.44.0/28 to any in via em0 00700 0 0 deny tcp from any to 80.72.44.230 dst-port 3306 00800 0 0 deny tcp from any to 80.72.44.230 dst-port 515 00900 0 0 deny tcp from any to 80.72.44.230 dst-port 139 01000 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 139 01100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 137 01200 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 137 01300 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 138 01400 0 0 deny tcp from any to 172.27.2.115 dst-port 3306 01500 0 0 deny tcp from any to 172.27.2.115 dst-port 515 01600 0 0 deny tcp from any to 172.27.2.115 dst-port 139 01700 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 139 01800 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 137 01900 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 137 02000 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 138 02100 0 0 deny tcp from any to 80.72.44.230 dst-port 587 02200 0 0 deny tcp from any to 80.72.44.230 dst-port 6000 02300 0 0 deny tcp from any to 80.72.44.230 dst-port 6000 02400 0 0 deny ip from any to 10.0.0.0/8 via ed0 02500 0 0 deny ip from any to 172.16.0.0/12 via ed0 02600 0 0 deny ip from any to 192.168.0.0/16 via ed0 02700 0 0 deny ip from any to 0.0.0.0/8 via ed0 02800 0 0 deny ip from any to 169.254.0.0/16 via ed0 02900 0 0 deny ip from any to 192.0.2.0/24 via ed0 03000 6 306 deny ip from any to 224.0.0.0/4 via ed0 03100 0 0 deny ip from any to 240.0.0.0/4 via ed0 03200 5082 354910 divert 8668 ip from any to any via ed0 03300 0 0 allow tcp from any to any established 03400 0 0 allow ip from any to any frag 03500 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 25 setup 03600 3720 240576 allow udp from 80.72.44.230 to any dst-port 53 keep-state 03700 0 0 allow udp from 80.72.44.230 to any dst-port 123 keep-state 03800 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 80 setup 03900 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port 80 setup 04000 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port 80 setup 04100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 22 setup 04200 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port 22 setup 04300 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port 22 setup 04400 0 0 allow tcp from any to 172.27.2.115 04500 0 0 deny log logamount 5 tcp from any to any in via ed0 setup 04600 0 0 allow tcp from any to any setup 65535 1367 114702 allow ip from any to any # netstat -finet -rn forum2# netstat -finet -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 80.72.44.225 UGS 0 7440 ed0 80.72.44.224/28 link#10 U 0 2700 ed0 80.72.44.230 link#10 UHS 0 4 lo0 127.0.0.1 link#12 UH 0 160 lo0 172.27.0.0/16 link#1 U 0 722 em0 172.27.2.115 link#1 UHS 0 2 lo0 forum2# This is the information so far. Pinging the interfaces with their respective addresses works now. What doesn't work is the pinging of the neighbour machine (XP) 80.72.44.226 which I can ping from the FreeBSD 5.1 neighbour machine. I still can imagine that there is a hardware problem that leads tp packet corruption or something. I will exchange the media converter/switch next. Thanks a lot. -- Christoph > > > > > -- > > Christoph Kukulies > > Please show output from: > > # egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf > # cat /etc/natd.conf > # ipfw show > # netstat -finet -rn > > cheers, Ian >