Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Dec 2022 16:33:47 +0200
From:      John Hay <john@sanren.ac.za>
To:        ipfw@freebsd.org
Subject:   ipfw nat and smaller wan mtu
Message-ID:  <CAGv8uap=f5_63b-F8AZsaP0ZW9GDuF5p56yojcY2%2BVSB9=x6gw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
--000000000000989b7905ef3dcfbd
Content-Type: text/plain; charset="UTF-8"

Hi,

What would the proper ipfw rules be to make nat work and properly get the
icmp too big packets back to a local host if the wan interface needs a
smaller mtu?

I'm using a FreeBSD machine as router/firewall, but its wan interface needs
a smaller mtu (1392) than the default ethernet mtu. I have replicated this
in a VM so I can test it. My simplified ipfw rules make it work for packets
that are smaller than the wan mtu:

#####
net.inet.ip.fw.one_pass=0
net.inet.ip.fw.verbose=1
#####
fwcmd="/sbin/ipfw -q"
wan="vtnet0"
lan="vtnet1"
${fwcmd} nat 123 config if ${wan} log
${fwcmd} add 1000 count log all from any to any
${fwcmd} add 5000 nat 123 ip4 from any to any via ${wan}
${fwcmd} add 6000 allow log all from any to any
#####
The wan ip of the firewall is 10.10.2.2 and the ip address of the host (on
the lan side) I'm testing from is 10.10.1.3. And I did a ping to 10.10.5.5,
which is on the other side of the wan interface.

This works for packets smaller than the wan mtu. But if the packet is
larger than the wan mtu, the icmp too big is generated, but with 127.0.0.1
as the source and the wan ip as the destination and then sent via lo0 and
it looks like this in the ipfw log:

Dec  7 13:24:59 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.10.2.2
out via lo0

So I added a nat ipfw rule to catch that:

${fwcmd} add 5050 nat 123 ip4 from any to not 127.0.0.1 via lo0

That helped partly because it was then able to recover the address of the
host I was testing from and tried to send the packet out on the correct
interface (vtnet1). Unfortunately it still had the source address of
127.0.0.1, which means it did not actually make it to the wire:

######
Dec  7 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:8.0 10.10.1.3 10.10.5.5
in via vtnet1
Dec  7 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:8.0 10.10.1.3 10.10.5.5
in via vtnet1
Dec  7 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:8.0 10.10.1.3 10.10.5.5
out via vtnet0
Dec  7 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:8.0 10.10.2.2 10.10.5.5
out via vtnet0
Dec  7 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.10.2.2
out via lo0
Dec  7 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:3.4 127.0.0.1 10.10.2.2
out via lo0
Dec  7 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.10.2.2
in via lo0
Dec  7 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:3.4 127.0.0.1 10.10.1.3
in via lo0
Dec  7 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.10.1.3
out via vtnet1
Dec  7 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:3.4 127.0.0.1 10.10.1.3
out via vtnet1
######

Once I have this sorted, there seems to be a similar problem with nptv6.

Regards

John

--000000000000989b7905ef3dcfbd
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><div><br></div><div>What would the proper ip=
fw rules be to make nat work and properly get the icmp too big packets back=
 to a local host if the wan interface needs a smaller mtu?</div><div><br></=
div><div>I&#39;m using a FreeBSD machine as router/firewall, but its wan in=
terface needs a smaller mtu (1392) than the default ethernet mtu. I have re=
plicated this in a VM so I can test it. My simplified ipfw rules make it wo=
rk for packets that are smaller than the wan mtu:</div><div><br></div><div>=
#####</div><div>net.inet.ip.fw.one_pass=3D0<br>net.inet.ip.fw.verbose=3D1<b=
r></div><div>#####</div><div>fwcmd=3D&quot;/sbin/ipfw -q&quot;</div><div>wa=
n=3D&quot;vtnet0&quot;</div><div>lan=3D&quot;vtnet1&quot;</div><div>${fwcmd=
} nat 123 config if ${wan} log</div><div>${fwcmd} add 1000 count log all fr=
om any to any</div><div>${fwcmd} add 5000 nat 123 ip4 from any to any via $=
{wan}</div><div>${fwcmd} add 6000 allow log all from any to any</div><div>#=
####</div><div>The wan ip of the firewall is 10.10.2.2 and the ip address o=
f the host (on the lan side) I&#39;m testing from is 10.10.1.3. And I did a=
 ping to 10.10.5.5, which is on the other side of the wan interface.<br></d=
iv><div><br></div><div>This works for packets smaller than the wan mtu. But=
 if the packet is larger than the wan mtu, the icmp too big is generated, b=
ut with 127.0.0.1 as the source and the wan ip as the destination and then =
sent via lo0 and it looks like this in the ipfw log:</div><div><br></div><d=
iv>Dec =C2=A07 13:24:59 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.=
10.2.2 out via lo0</div><div><br></div><div>So I added a nat ipfw rule to c=
atch that:</div><div><br></div><div>${fwcmd} add 5050 nat 123 ip4 from any =
to not 127.0.0.1 via lo0</div><div><br></div><div>That helped partly becaus=
e it was then able to recover the address of the host I was testing from an=
d tried to send the packet out on the correct interface (vtnet1). Unfortuna=
tely it still had the source address of 127.0.0.1, which means it did not a=
ctually make it to the wire:<br></div><div><br></div><div>######<br></div>D=
ec =C2=A07 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:8.0 10.10.1.3 10.10.5=
.5 in via vtnet1<br>Dec =C2=A07 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP=
:8.0 10.10.1.3 10.10.5.5 in via vtnet1<br>Dec =C2=A07 14:17:31 rtr kernel: =
ipfw: 1000 Count ICMP:8.0 10.10.1.3 10.10.5.5 out via vtnet0<br>Dec =C2=A07=
 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:8.0 10.10.2.2 10.10.5.5 out vi=
a vtnet0<br>Dec =C2=A07 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:3.4 127.=
0.0.1 10.10.2.2 out via lo0<br>Dec =C2=A07 14:17:31 rtr kernel: ipfw: 6000 =
Accept ICMP:3.4 127.0.0.1 10.10.2.2 out via lo0<br>Dec =C2=A07 14:17:31 rtr=
 kernel: ipfw: 1000 Count ICMP:3.4 127.0.0.1 10.10.2.2 in via lo0<br>Dec =
=C2=A07 14:17:31 rtr kernel: ipfw: 6000 Accept ICMP:3.4 127.0.0.1 10.10.1.3=
 in via lo0<br>Dec =C2=A07 14:17:31 rtr kernel: ipfw: 1000 Count ICMP:3.4 1=
27.0.0.1 10.10.1.3 out via vtnet1<br>Dec =C2=A07 14:17:31 rtr kernel: ipfw:=
 6000 Accept ICMP:3.4 127.0.0.1 10.10.1.3 out via vtnet1<br><div>######<br>=
</div><div><br></div><div>Once I have this sorted, there seems to be a simi=
lar problem with nptv6.</div><div><br></div><div>Regards</div><div><br></di=
v><div>John</div><div><br></div></div>

--000000000000989b7905ef3dcfbd--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGv8uap=f5_63b-F8AZsaP0ZW9GDuF5p56yojcY2%2BVSB9=x6gw>