From owner-freebsd-questions@FreeBSD.ORG Mon Nov 19 20:13:05 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4D0816A418 for ; Mon, 19 Nov 2007 20:13:05 +0000 (UTC) (envelope-from ted@ness.plymouth.edu) Received: from its2.plymouth.edu (its2.plymouth.edu [158.136.1.111]) by mx1.freebsd.org (Postfix) with ESMTP id 537A313C469 for ; Mon, 19 Nov 2007 20:13:05 +0000 (UTC) (envelope-from ted@ness.plymouth.edu) Received: from ness.plymouth.edu (ness.plymouth.edu [158.136.1.140]) (authenticated bits=0) by its2.plymouth.edu (8.13.8/8.13.6) with ESMTP id lAJKBXjw030535 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Nov 2007 15:11:33 -0500 (EST) (envelope-from ted@ness.plymouth.edu) From: Ted Wisniewski Organization: Plymouth State University To: freebsd-questions@freebsd.org Date: Mon, 19 Nov 2007 14:54:40 -0500 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200711191454.40038.ted@ness.plymouth.edu> Cc: Chris Drever Subject: System Freeze w/ IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 20:13:06 -0000 We have a box doing routing and NAT using IPNAT that freezes up after a couple days. We have swapped out the Box with a different model and continue to see the same problem. Symptoms are that the machine no longer passes traffic and the console is unresponsive to any keyboard input (not even ctrl-alt-del). What we are doing is just Nat'ing a portion of the network traffic (we want to pass certain areas of the network address space un-modified). We are pretty certain that our problem has something to do with ipnat becasue we are using other BSD boxes as routers without issue. We have seen a couple: bge1: watchdog timeout -- resetting bge1: link state changed to DOWN bge1: link state changed to UP in the log file that were not present on the first machine because it had a different set of network cards... I mention it only for completeness. Any help that someone can provide would be appreciated. Additional pertinent info is provided below. Thanks Ted Relevant Kernel Options: options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools Relevant rc.conf settings: # # ROUTING # router_enable="YES" router_flags="-s" gateway_enable="YES" # # Network firewall / NAT (IPF) # gateway_enable="YES" ipfilter_enable="YES" ipfilter_flags="-T ipf_nattable_max=500000 -E" ipnat_enable="YES" ipnat_program="/sbin/ipnat" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" ipmon_flags="-Ds -N /dev/ipnat -f /dev/ipl -S /dev/ipstate" Example rule from /etc/ipnat.rules (we have a number of these based on areas of our network)... Each subnet is associated with a different ip on the outgoing side of the NAT. # map bge0 192.168.100.0/23 -> 192.168.4.64/32 proxy port ftp ftp/tcp map bge0 192.168.100.0/23 -> 192.168.4.64/32 icmpidmap icmp 60000:65535 map bge0 192.168.100.0/23 -> 192.168.4.64/32 portmap tcp/udp 42000:65535 # Background info: FreeBSD 6.2 pl-8 Using Dell Poweredge 860 1 Gig RAM Dual - Broadcom BCM5750 B1, ASIC rev. 0x4101 Latest Firmware First Interface (bge0): with 11 IP's (1 for host with 10 aliases for NAT) operating at media: Ethernet autoselect (1000baseTX ) Second interface (bge1): with one IP operating at media: Ethernet autoselect (1000baseTX )