Date: Tue, 10 Aug 2010 16:33:02 +0100 From: Alan Hicks <alan@p-o.co.uk> To: freebsd-stable@freebsd.org Subject: NAT issue in 8.1 Message-ID: <4C61712E.7030704@p-o.co.uk>
next in thread | raw e-mail | index | archive | help
Having upgraded to Release-8.1, there appears to be an issue with network address translation where a newly booted machine fails to setup nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument' Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC) rc.conf ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0" ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0" defaultrouter="192.168.0.1" firewall_enable="YES" firewall_type="open" firewall_logging="yes" natd_enable="YES" natd_interface="em0" Boot excerpt from console, typed as it does not make it to /var/log/messages so apologies for any typo's add net default: gateway 192.168.0.1 Additional routing options: IP gateway=YES Starting devd. ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled load_dn_sched dn_sched FIFO loaded load_dn_sched dn_sched QFQ loaded load_dn_sched dn_sched RR loaded load_dn_sched dn_sched WF2Q+ loaded load_dn_sched dn_sched PRIO loaded flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 ipfw: getsockopt(IP_FW_ADD): Invalid argument 65000 allow ip from any to any Firewall rules loaded. Firewall logging enabled. Starting natd. Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes Although all appears to be ok, machines on the xl0 192.168.202.0/24 subnet can't see the internet. Running /etc/rc.firewall manually fixes the issue. The machine was upgraded from 8.0 using unmodified cvs sources using buildkernel, buildworld, installworld, installkernel mergemaster. Any help appreciated. Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C61712E.7030704>