Date: Tue, 5 Aug 2003 16:33:10 -0400 From: Rocco Caputo <rcaputo@pobox.com> To: freebsd-net@freebsd.org Subject: Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work" Message-ID: <20030805203309.GB550@eyrie.homenet> In-Reply-To: <20030731195450.GB17861@carpediem.epita.fr> References: <20030730191530.GD36116@eyrie.homenet> <Pine.BSF.4.21.0307301250130.23956-100000@InterJet.elischer.org> <20030730213229.GA37634@eyrie.homenet> <20030731082103.GA17861@carpediem.epita.fr> <20030731143331.GD37634@eyrie.homenet> <20030731195450.GB17861@carpediem.epita.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 31, 2003 at 09:54:50PM +0200, jeremie le-hen wrote: > Your problem looks very strange. I didn't succeed in reproducing the same > behaviour on my personal gateway. > > But I noticed that, although you use ipnat(8), nat is also enabled in your > ppp(8) configuration, this *may* explains some of your problems, such as > seeing double packets. Try to remove all "nat*" lines. Thanks for looking at the problem and for the advice. After much more reading, especially on the way packets flow through the various firewalls and NAT systems FreeBSD provides, I sat down and really thought things through. I couldn't wrap my head around the flow when NAT was used in the firewalls, so I dropped back and enabled in in ppp(8). This bugs me slightly because my local network lives in the 10/8 address space, and I must let 10/8 packets through tun0. Oh well. At least I can do it statefully. I moved the firewall rules from ipf(8) to ipfw(8). I disabled ipnat since ppp(8) takes care of it now. Combining stateful rules and dummynet in ipfw(8) was interesting. The trick I settled on was to use stateful skipto rules that pass "good" packets to one-pass dummynet rules. Everything else is denied by default. This cleared up the ping problems, and it cleared up the problems with NATted machines connecting to the outside world. It doesn't fix active FTP, but I've given up on that. Passive seems to work well enough. Thanks again. -- Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030805203309.GB550>