From owner-freebsd-questions@freebsd.org Sat Apr 18 20:44:35 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E05CA2AD502 for ; Sat, 18 Apr 2020 20:44:35 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from oceanview.tundraware.com (oceanview.tundraware.com [45.55.60.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailman.tundraware.com", Issuer "mailman.tundraware.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 494Q1Z65XHz3PQM for ; Sat, 18 Apr 2020 20:44:34 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.0.2] (ozzie.tundraware.com [75.145.138.73]) (authenticated bits=0) by oceanview.tundraware.com (8.15.2/8.15.2) with ESMTPSA id 03IKhFF8005646 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sat, 18 Apr 2020 15:43:16 -0500 (CDT) (envelope-from tundra@tundraware.com) Subject: Re: Changes To nat-ing Behaviour? To: FreeBSD Mailing List References: <0e61aeb7-03ff-6016-3f23-1b00630b4af6@tundraware.com> From: Tim Daneliuk Message-ID: <9d6062cb-a6b6-ec59-afe4-ba8041cd01ce@tundraware.com> Date: Sat, 18 Apr 2020 15:43:10 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (oceanview.tundraware.com [45.55.60.57]); Sat, 18 Apr 2020 15:43:16 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: 03IKhFF8005646 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, timed out) X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-Rspamd-Queue-Id: 494Q1Z65XHz3PQM X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of tundra@tundraware.com designates 45.55.60.57 as permitted sender) smtp.mailfrom=tundra@tundraware.com X-Spamd-Result: default: False [0.39 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.15)[-0.147,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.75)[-0.750,0]; DMARC_NA(0.00)[tundraware.com]; TO_DN_ALL(0.00)[]; IP_SCORE(0.59)[ip: (-1.22), ipnet: 45.55.32.0/19(2.96), asn: 14061(1.26), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:14061, ipnet:45.55.32.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2020 20:44:35 -0000 On 4/18/20 12:51 PM, Michael Sierchio wrote: > Showing your ruleset would allow us to comment meaningfully. Not sure exactly which ruleset but ... Here are the kernel opts: options IPFIREWALL options IPDIVERT Here is the natd.conf: use_sockets port natd same_ports unregistered_only This is the ruleset in the firewall up to the point NAT gets enabled. re0 is outward facing, em0 is internal LAN: 0001 4 715 allow icmp from any to any icmptypes 0,3,4,8,11,12 00100 24 1958 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 192.168.0.0/24 to any in via re0 00500 0 0 deny ip from 75.145.138.73 to any in via em0 00600 0 0 deny ip from any to 10.0.0.0/8 via re0 00700 0 0 deny ip from any to 172.16.0.0/12 via re0 00800 0 0 deny ip from any to 192.168.0.0/16 via re0 00900 0 0 deny ip from any to 0.0.0.0/8 via re0 01000 0 0 deny ip from any to 169.254.0.0/16 via re0 01100 0 0 deny ip from any to 192.0.2.0/24 via re0 01200 1 32 deny ip from any to 224.0.0.0/4 via re0 01300 0 0 deny ip from any to 240.0.0.0/4 via re0 01400 1011 97774 divert 8668 ip from any to any via re0 As I said, these rules have not changed for an eternity so not sure what is going on here. > > On Sat, Apr 18, 2020 at 10:19 AM Tim Daneliuk wrote: > >> I recently upgraded a FBSD 11.3 machine to -STABLE as of a few weeks ago. >> >> This machine acts as a firewall and nats between the outside world >> and an internal nonroutable network. >> >> Configuration is stable and has not changed in years. >> >> Today I noted that speeds on the LAN side are about half of what is >> available >> going out to the internet. >> >> I eliminated cables, interfaces, and switches and confirmed that - even if >> I plug a machine directly into the FBSD nat box, I get half the speed that >> box gets out to the net. >> >> I'm at a loss since I've changed nothing in the config. >> >> Ideas would be most appreciated. >> >> TIA, >> -- >> >> ---------------------------------------------------------------------------- >> Tim Daneliuk tundra@tundraware.com >> PGP Key: http://www.tundraware.com/PGP/ >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/