Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Mar 1999 18:50:25 -0500 (EST)
From:      Troy Settle <rewt@i-Plus.net>
To:        "(ML) FreeBSD ISP" <freebsd-isp@freebsd.org>
Subject:   IPFW - NATD Weirdness
Message-ID:  <Pine.BSF.4.10.9903301819020.17275-100000@buggy.i-plus.net>
next in thread | raw e-mail | index | archive | help 


Hey all,

I'm running natd on a 2.2-STABLE server, which lives on a network along
with a cisco 2501 and 3 Ascend 4048's.

The network config is as follows:

	209.100.20.96/27
	 209.100.20.97 - Cisco - Default route
	 209.100.20.99 - 4048
	 209.100.20.100 - 4048
	 209.100.20.101 - 4048
	 209.100.20.126 - FreeBSD box with natd
	209.100.20.127 - Broadcast

Coming off the FreeBSD box on ed2, is a customer network (10.10.100.0/24)

# ifconfig -a
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 209.100.20.126 netmask 0xffffffe0 broadcast 209.100.20.127
        ether 00:60:67:65:b0:30
ed2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.10.100.1 netmask 0xffffff00 broadcast 10.10.100.255
        ether 00:60:67:4e:23:b2

natd is running bare:  natd -n ed1

Everything works fine until I add the ipfw rules to enable network address
translation:

	ipfw add 00100 pass all from any to any via lo0
	ipfw add 00200 deny all from any to 127.0.0.0/8
	ipfw add 00300 divert natd all from any to any via ed1
	ipfw add 65535 allow ip from any to any


At this time, the FreeBSD box starts interfering with the traffic destined
for 209.100.20.101, making it impossible for anyone dialed up to that box
to use the network.  For example:

	PING p3.i-plus.net (209.100.20.101): 56 data bytes
	64 bytes from 209.100.20.101: icmp_seq=0 ttl=253 time=9.875 ms
	64 bytes from 209.100.20.126: icmp_seq=0 ttl=252 time=9.962 ms (DUP!)
	64 bytes from 209.100.20.101: icmp_seq=1 ttl=253 time=8.369 ms
	64 bytes from 209.100.20.126: icmp_seq=1 ttl=252 time=8.456 ms (DUP!)


I have no explanation for this behavior, though I can duplicate it from 
outside my network.

I've double checked all my configurations, from end to end, and everything
looks good, from subnets to routes.

And, just to repeat myself, this behavior only presents itself when I have
a divert in my ipfw config.



Thanks in advance,

--
  Troy Settle <st@i-Plus.net>
  Network Administrator, iPlus Internet Services
  http://www.i-Plus.net



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9903301819020.17275-100000>