From owner-freebsd-questions Sat Jul 15 8:36: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kris.kiwi-computer.com (cv-d-209.141.33.211.psn.net [209.141.33.211]) by hub.freebsd.org (Postfix) with ESMTP id BE57F37B69D for ; Sat, 15 Jul 2000 08:35:49 -0700 (PDT) (envelope-from rick@kris.kiwi-computer.com) Received: (from rick@localhost) by kris.kiwi-computer.com (8.9.3/8.9.3) id LAA30005 for freebsd-questions@freebsd.org; Sat, 15 Jul 2000 11:43:07 -0400 (EDT) (envelope-from rick) From: "Rick C. Petty" Message-Id: <200007151543.LAA30005@kris.kiwi-computer.com> Subject: natd & DUMMYNET To: freebsd-questions@freebsd.org Date: Sat, 15 Jul 2000 11:43:07 -0400 (EDT) X-Files: Trust no one! X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, all! I'm trying to setup ipfw to handle a bunch of machines behind a firewall using natd, which I have working just fine. The problem is when I tried to use DUMMYNET to bandwidth limit certain machines on the local network in addition to the proper address translation with natd. When I enable the following pipes, natd fails to "work" (outgoing pings from behind the firewall don't return): $fwcmd pipe 1 config bw 16Kbit/s delay 100ms $fwcmd pipe 2 config bw 8Kbit/s delay 100ms $fwcmd add 100 pipe 1 ip from 192.168.25.128 to any $fwcmd add 200 pipe 2 ip from any to 192.168.25.128 Where 192.168.25.128 is the box behind the firewall I was running test pings from. Other working rules include: $fwcmd add divert natd all from any to any via ${natd_interface} $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 $fwcmd add 500 pass tcp from any to any established $fwcmd 60000 add allow ip from any to any And those seem to work just fine. Remember, it's only when I use the aforementioned pipes that natd starts failing. I have tried many combinations of rule numbers, such as the natd rule number being higher or lower than the pipe rules, and it doesn't seem to change the behaviour. These rules are located in a firewall script after a ipfw flush. I am running 3.4-RELEASE with the following relevant options in my kernel config: options IPFIREWALL options IPDIVERT options DUMMYNET The strange thing is that if I ping the firewall from the .25.128 machine, I do get the added 100 ms delay both ways (avg. 300 ms total ping time vs less than 1ms without the pipes), and watching my hub lights suggests that packets get routed out the firewall and returned to the firewall, but not reverse-translated back to the source machine... I have searched the FAQ and read countless similar archive mailing lists messages and have tried countless combinations of rules but to no avail. Could someone please tell me what simple thing I'm doing wrong, or send me a copy of ipfw commands/rules that correctly use natd(8) & dummynet(4)? Thanks a bunch, --Rick C. Petty, aka Snoopy rick@kiwi-computer.com ----------------------------------------------------------------------- Principal Architect, KIWI Computer http://kiwi-computer.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message