From owner-freebsd-stable@FreeBSD.ORG Thu Feb 6 08:35:19 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A83AB845 for ; Thu, 6 Feb 2014 08:35:19 +0000 (UTC) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 63681151B for ; Thu, 6 Feb 2014 08:35:19 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1WBKQQ-0005Oy-7L for freebsd-stable@freebsd.org; Thu, 06 Feb 2014 09:35:10 +0100 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: freebsd-stable@freebsd.org Subject: Re: IPFW fwd not working after upgrade from 9.2 to 10.0 References: <8C9CDEF4-A44A-4207-BB87-DA3E7CF89917@jnielsen.net> Date: Thu, 06 Feb 2014 09:35:09 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: <8C9CDEF4-A44A-4207-BB87-DA3E7CF89917@jnielsen.net> User-Agent: Opera Mail/12.16 (Win32) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.0 X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 X-Scan-Signature: f0eed3f1d89bc5fb772880ef8d54351a X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 08:35:19 -0000 On Thu, 06 Feb 2014 01:08:24 +0100, John Nielsen wrote: > I have been using IPFW FWD to do per-interface routing on a VM instance. > The default gateway is on interface vtnet0, but there is a second > interface, vtnet1, on a different network with its own public IP > address. The second network has its own gateway, which I'd like to use > for responses to connections coming on on vtnet1. Under 9.2, the below > worked fine: > > fwd ${GW2} ip from ${PUBIP2} to not table(120) out via vtnet0 > > Table 120 contains all the local networks for which I don't want the > rule to apply. > > I updated the VM to 10.0-RELEASE, with no changes to the IPFW rules or > network configuration. The forwarding to the secondary router no longer > works. Traffic comes in on ${PUBIP2} fine, and the counter for the IPFW > rule increments, but no packets are actually sent out vtnet1. Instead, > it's trying to do a weird ARP query: > > > # tcpdump -n -p -i vtnet1 > ... > 16:46:33.146324 IP ${OUTSIDE_IP}.55063 > ${PUBIP2}.22: Flags [S], seq > 2242981455, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val > 1978614336 ecr 0,sackOK,eol], length 0 > 16:46:33.146372 ARP, Request who-has ${GW1} tell ${PUBIP2}, length 28 > > If I try to SSH from an outside IP to the public IP on vtnet1, a > response never goes out either interface (vtnet0 or vtnet1). Instead, an > ARP query is going out (on vtnet1) looking for the default gateway IP, > which is only reachable on vtnet0. > > On the off chance this is not a bug, is there a better way I should be > doing per-interface routing under FreeBSD 10? If it is a bug, can anyone > suggest what might be going on here and how to track it down further? > > Thanks, > > JN The errata of FreeBSD 10.0 mentions ipfw fwd. http://www.freebsd.org/releases/10.0R/errata.html Ronald.