Date: Sat, 18 Apr 2020 15:43:10 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Changes To nat-ing Behaviour? Message-ID: <9d6062cb-a6b6-ec59-afe4-ba8041cd01ce@tundraware.com> In-Reply-To: <CAHu1Y718o3zKPwYi2=GLAOwf-pkdB15Wsd1jO5nPZ=BCfH-B-Q@mail.gmail.com> References: <0e61aeb7-03ff-6016-3f23-1b00630b4af6@tundraware.com> <CAHu1Y718o3zKPwYi2=GLAOwf-pkdB15Wsd1jO5nPZ=BCfH-B-Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/18/20 12:51 PM, Michael Sierchio wrote: > Showing your ruleset would allow us to comment meaningfully. Not sure exactly which ruleset but ... Here are the kernel opts: options IPFIREWALL options IPDIVERT Here is the natd.conf: use_sockets port natd same_ports unregistered_only This is the ruleset in the firewall up to the point NAT gets enabled. re0 is outward facing, em0 is internal LAN: 0001 4 715 allow icmp from any to any icmptypes 0,3,4,8,11,12 00100 24 1958 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 192.168.0.0/24 to any in via re0 00500 0 0 deny ip from 75.145.138.73 to any in via em0 00600 0 0 deny ip from any to 10.0.0.0/8 via re0 00700 0 0 deny ip from any to 172.16.0.0/12 via re0 00800 0 0 deny ip from any to 192.168.0.0/16 via re0 00900 0 0 deny ip from any to 0.0.0.0/8 via re0 01000 0 0 deny ip from any to 169.254.0.0/16 via re0 01100 0 0 deny ip from any to 192.0.2.0/24 via re0 01200 1 32 deny ip from any to 224.0.0.0/4 via re0 01300 0 0 deny ip from any to 240.0.0.0/4 via re0 01400 1011 97774 divert 8668 ip from any to any via re0 As I said, these rules have not changed for an eternity so not sure what is going on here. > > On Sat, Apr 18, 2020 at 10:19 AM Tim Daneliuk <tundra@tundraware.com> wrote: > >> I recently upgraded a FBSD 11.3 machine to -STABLE as of a few weeks ago. >> >> This machine acts as a firewall and nats between the outside world >> and an internal nonroutable network. >> >> Configuration is stable and has not changed in years. >> >> Today I noted that speeds on the LAN side are about half of what is >> available >> going out to the internet. >> >> I eliminated cables, interfaces, and switches and confirmed that - even if >> I plug a machine directly into the FBSD nat box, I get half the speed that >> box gets out to the net. >> >> I'm at a loss since I've changed nothing in the config. >> >> Ideas would be most appreciated. >> >> TIA, >> -- >> >> ---------------------------------------------------------------------------- >> Tim Daneliuk tundra@tundraware.com >> PGP Key: http://www.tundraware.com/PGP/ >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9d6062cb-a6b6-ec59-afe4-ba8041cd01ce>