From owner-freebsd-net@freebsd.org  Sat Dec 14 22:15:03 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9878F1D8392
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sat, 14 Dec 2019 22:15:03 +0000 (UTC)
 (envelope-from bsd-lists@BSDforge.com)
Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com
 [24.113.41.81])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "ultimatedns.net",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47b2065JGZz3KHS
 for <freebsd-net@freebsd.org>; Sat, 14 Dec 2019 22:15:02 +0000 (UTC)
 (envelope-from bsd-lists@BSDforge.com)
Received: from udns.ultimatedns.net (localhost [IPv6:0:0:0:0:0:0:0:1])
 by udns.ultimatedns.net (8.15.2/8.15.2) with ESMTPS id xBEMFNxa041156
 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sat, 14 Dec 2019 14:15:30 -0800 (PST)
 (envelope-from bsd-lists@BSDforge.com)
X-Mailer: Cypht
MIME-Version: 1.0
Cc: FreeBSD Networking <freebsd-net@freebsd.org>
In-Reply-To: <9f3ee846-1357-0b73-cc0f-e001ea74b15c@saltant.com>
From: Chris <bsd-lists@BSDforge.com>
Reply-To: bsd-lists@BSDforge.com
To: "John W. OBrien" <john@saltant.com>
Subject: Re: NAT64 return traffic vanishes after successful de-alias
Date: Sat, 14 Dec 2019 14:15:29 -0800
Message-Id: <2401399a05f75fa4b78f4d66c67c9e97@udns.ultimatedns.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 47b2065JGZz3KHS
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of bsd-lists@BSDforge.com has no SPF policy
 when checking 24.113.41.81) smtp.mailfrom=bsd-lists@BSDforge.com
X-Spamd-Result: default: False [-0.98 / 15.00]; ARC_NA(0.00)[];
 HAS_REPLYTO(0.00)[bsd-lists@BSDforge.com];
 XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_MEDIUM(-0.88)[-0.885,0];
 IP_SCORE(-0.10)[ip: (-0.99), ipnet: 24.113.0.0/16(-0.49), asn: 11404(1.04),
 country: US(-0.05)]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[BSDforge.com]; REPLYTO_ADDR_EQ_FROM(0.00)[];
 AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.91)[-0.910,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:11404, ipnet:24.113.0.0/16, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2019 22:15:03 -0000

On Sat, 14 Dec 2019 14:54:26 -0500 John W=2E OBrien john@saltant=2Ecom said

> Hello FreeBSD Networking,
>=20
> As the subject summarizes, I have a mostly-working NAT64 rig, but return
> traffic is disappearing, and I haven't been able to figure out why=2E I
> observe the post-translation (4-to-6) packets via ipfwlog0, but a simple
> ipfw counter rule ipfw matches nothing=2E
>=20
> My attempt to develop a minimum reproducible example failed in the sense
> that I did not reproduce the problem=2E Of course, this implies that one
> of the many differences between the simplified test (EC2 instance, two
> jails) and the problem rig (physical server, lagg, vlans, other things
> going on) is the cause=2E
>=20
> What I am hoping this list can help me with is being smart about what I
> try next=2E Otherwise, I would probably just try to brute force a solution
> by thinking of ways to permute the config that would rule each possible
> difference in or out=2E
>=20
> So far my main troubleshooting tools have been ipfw for its rule
> counters and nat64lsn stats output, netstat to look at fibs, and tcpdump
> pointed at real and diagnostic interfaces=2E What debugging tools and
> techniques should I employ to do better than brute force?
>=20
> If it would help, I would gladly share the working, EC2/jail demo
> configs on the list=2E Sharing the non-working configs I would prefer to
> do privately or not at all=2E
>=20
> This is on 12=2E1-RELEASE=2E
>=20
> Thank you,

pf(4) is pretty close to metal, and would probably be a good candidate for
acquiring the type of statistics your hoping to find; pfctl(8), pfctl -s,
and pfctl -T are a few examples=2E

HTH

--Chris
>=20
> --=20
> John W=2E O'Brien
> OpenPGP keys:
>    0x33C4D64B895DBF3B