From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 26 15:37:01 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E488AB82 for ; Tue, 26 Mar 2013 15:37:01 +0000 (UTC) (envelope-from jau@oxit.fi) Received: from smtp.oxit.fi (smtp.oxit.fi [193.185.41.132]) by mx1.freebsd.org (Postfix) with ESMTP id A2BA263D for ; Tue, 26 Mar 2013 15:37:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.oxit.fi (Postfix) with ESMTP id 282246C377D for ; Tue, 26 Mar 2013 17:29:04 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at smtp.oxit.fi Received: from smtp.oxit.fi ([127.0.0.1]) by localhost (huskvarna.oxit.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kavcpI7ZQdOR for ; Tue, 26 Mar 2013 17:28:59 +0200 (EET) Received: from [193.64.26.117] (ip193-64-26-117.cust.eunet.fi [193.64.26.117]) by smtp.oxit.fi (Postfix) with ESMTPSA id 96A096C373A for ; Tue, 26 Mar 2013 17:28:59 +0200 (EET) Message-ID: <5151BEA9.2080907@oxit.fi> Date: Tue, 26 Mar 2013 17:28:41 +0200 From: Jukka Ukkonen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: ipfw@freebsd.org Subject: kernel NAT with ipfw failing Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 15:37:02 -0000 Hello, Does anyone have a confirmed working example (one that is in daily active use) of the ipfw NAT inside the kernel? I have been trying to create a 1-to-1 static NAT between a small intranet and the corresponding external addresses. This keeps persistently failing and the whatever I do the intranet addresses are being leaked out of the external NIC. I am starting to suspect there is something going seriously wrong with the NAT implementation in ipfw. All the necessary kernel modules should be loaded... 9 1 0xffffffff81a30000 79a0 if_tap.ko 10 4 0xffffffff81a38000 1ad58 ipfw.ko 11 2 0xffffffff81a53000 6aa8 bridgestp.ko 12 1 0xffffffff81a5a000 e620 if_bridge.ko ... 51 2 0xffffffff81ebe000 14510 libalias.ko 52 1 0xffffffff81ed3000 4118 ipfw_nat.ko 53 1 0xffffffff81ed8000 4c60 ipdivert.ko 54 1 0xffffffff81edd000 15aa0 dummynet.ko Checksum offloading has been turned off from the interfaces, both internal and external. (em0, em1) The output from 'uname -a' is... FreeBSD sleipnir 9.1-STABLE FreeBSD 9.1-STABLE #0 r248699M: Mon Mar 25 12:26:33 EET 2013 root@sleipnir:/usr/obj/usr/src/sys/Sleipnir amd64 The only real difference between the GENERIC kernel and my own custom kernel is the setting... options ROUTETABLES=4 Could this break the NAT implementation? I have previously done similar things using divert sockets and the natd. They have always worked just fine, except they have maybe wasted some time and resources bouncing back and forth between the kernel and user space. So, this has been a very surprising experience. What should I try next? Cheers, --jau