From owner-freebsd-net@FreeBSD.ORG Mon Sep 27 15:23:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8078E16A4CE for ; Mon, 27 Sep 2004 15:23:30 +0000 (GMT) Received: from musashi.fi.uba.ar (musashi.fi.uba.ar [157.92.49.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB5B43D55 for ; Mon, 27 Sep 2004 15:23:24 +0000 (GMT) (envelope-from gkullak@fi.uba.ar) Received: from musashi.fi.uba.ar (localhost.localdomain [127.0.0.1]) by musashi.fi.uba.ar (8.12.10/8.12.10) with ESMTP id i8RFMYHZ030762 for ; Mon, 27 Sep 2004 12:22:34 -0300 Received: (from apache@localhost) by musashi.fi.uba.ar (8.12.10/8.12.10/Submit) id i8RFMYpU030760; Mon, 27 Sep 2004 12:22:34 -0300 Received: from 161.190.1.253 (SquirrelMail authenticated user gkullak); by webmail.fi.uba.ar with HTTP; Mon, 27 Sep 2004 12:22:34 -0300 (ART) Message-ID: <32934.161.190.1.253.1096298554.squirrel@161.190.1.253> Date: Mon, 27 Sep 2004 12:22:34 -0300 (ART) From: gkullak@fi.uba.ar To: freebsd-net@freebsd.org User-Agent: SquirrelMail/1.4.3a-1 X-Mailer: SquirrelMail/1.4.3a-1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-FIUBA-MailScanner-Information: Please contact the ISP for more information X-FIUBA-MailScanner: Found to be clean X-FIUBA-MailScanner-SpamCheck: no es spam (whitelisted), SpamAssassin (puntaje=-3.205, requerido 5, AWL -0.29, BAYES_00 -4.90, J_CHICKENPOX_53 0.60, J_CHICKENPOX_66 0.60, NO_REAL_NAME 0.16, RATWR20_MESSID 0.62) X-MailScanner-From: gkullak@fi.uba.ar Subject: ipnat of ipfilter crash with too many mapping? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2004 15:23:30 -0000 Hi! I'm running FreeBSD 4.10 with ProFTP,Apache, Tomcat, Samba, Squid,SSH Server, MySQL and PostgreSQL. This machine is direct connected to Internet and is a firewall for an internet LAN. For firewall I am using ipfilter (ipf and ipnat). |-> 172.16.0.2 Internet ---> (200.0.0.1)FreeBSD Box (172.16.0.254) | fxp0 fxp1 |-> 172.16.0.3 Te problem is that when I run Overnet from 172.16.0.2, the NAT die. What it mean: FreeBSD run transparent proxy to Squid in port 8080. ipnat redirect all request to outside 80 to 8080. This work fine but when I start Overnet the nat table begin to grow up to 600 mapping!!! The bandwith of my Internet connection is of 512Kbps. If I view the system status (top), the system was normal = 98% iddle. I am really thinking that ipnat daemon work not to fine for this type of connection, because in my work I have the same schema with more machines in the LAN but for firewalling I am using "iptables" in Red Hat Linux 7.3 box with 2 overnet programs runnig in diferents machines and the connection never die. I refer in all case to "connection", but I don't know if the die is the connection, the system, the ipnat program or other thing. I try ipnat compiled in the kernel and i try ipnat loaded like module in rc.conf (actual form). The really thing is that when I stop the overnet and run "ipnat -CF - /etc/ipnat.rules" for flush and reload the NAT rules, the connection run fast again. Example: If it running Overnet in 172.16.0.2 and I want to start RealPlayer for listen a radio channel in 172.16.0.3 and got an error (can not connect). In this same case, I try to navegate to www.yahoo.com, but a got "Page not found" (remmeber transparent proxy use ipnat to resolve). But in this situation, I set to use the proxy server in Internet Options of my browser, the Yahoo page load (slow but load). I know that Overnet use very much bandwith of Internet connection, but I am thinking that ipnat not work very well with this type of load. For probe I will go to try putting a Red Hat Linux box to manage the NAT and look if work better. Do you have another idea that I can try to resolve the problem? Thanks! Regards.