From owner-freebsd-net@FreeBSD.ORG Tue Aug 5 13:33:17 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB2C637B401 for ; Tue, 5 Aug 2003 13:33:17 -0700 (PDT) Received: from imf22aec.mail.bellsouth.net (imf22aec.mail.bellsouth.net [205.152.59.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id E686143FAF for ; Tue, 5 Aug 2003 13:33:11 -0700 (PDT) (envelope-from dngor@bellsouth.net) Received: from eyrie.homenet ([68.213.211.142]) by imf22aec.mail.bellsouth.netESMTP <20030805203311.NAUW12990.imf22aec.mail.bellsouth.net@eyrie.homenet> for ; Tue, 5 Aug 2003 16:33:11 -0400 Received: from eyrie.homenet (abuse@localhost [127.0.0.1]) by eyrie.homenet (8.12.9/8.12.9) with ESMTP id h75KXAnD004736 for ; Tue, 5 Aug 2003 16:33:10 -0400 (EDT) (envelope-from troc@eyrie.homenet) Received: (from troc@localhost) by eyrie.homenet (8.12.9/8.12.9/Submit) id h75KXAe9004735 for freebsd-net@freebsd.org; Tue, 5 Aug 2003 16:33:10 -0400 (EDT) (envelope-from troc) Date: Tue, 5 Aug 2003 16:33:10 -0400 From: Rocco Caputo To: freebsd-net@freebsd.org Message-ID: <20030805203309.GB550@eyrie.homenet> References: <20030730191530.GD36116@eyrie.homenet> <20030730213229.GA37634@eyrie.homenet> <20030731082103.GA17861@carpediem.epita.fr> <20030731143331.GD37634@eyrie.homenet> <20030731195450.GB17861@carpediem.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030731195450.GB17861@carpediem.epita.fr> User-Agent: Mutt/1.4.1i Subject: Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 20:33:17 -0000 On Thu, Jul 31, 2003 at 09:54:50PM +0200, jeremie le-hen wrote: > Your problem looks very strange. I didn't succeed in reproducing the same > behaviour on my personal gateway. > > But I noticed that, although you use ipnat(8), nat is also enabled in your > ppp(8) configuration, this *may* explains some of your problems, such as > seeing double packets. Try to remove all "nat*" lines. Thanks for looking at the problem and for the advice. After much more reading, especially on the way packets flow through the various firewalls and NAT systems FreeBSD provides, I sat down and really thought things through. I couldn't wrap my head around the flow when NAT was used in the firewalls, so I dropped back and enabled in in ppp(8). This bugs me slightly because my local network lives in the 10/8 address space, and I must let 10/8 packets through tun0. Oh well. At least I can do it statefully. I moved the firewall rules from ipf(8) to ipfw(8). I disabled ipnat since ppp(8) takes care of it now. Combining stateful rules and dummynet in ipfw(8) was interesting. The trick I settled on was to use stateful skipto rules that pass "good" packets to one-pass dummynet rules. Everything else is denied by default. This cleared up the ping problems, and it cleared up the problems with NATted machines connecting to the outside world. It doesn't fix active FTP, but I've given up on that. Passive seems to work well enough. Thanks again. -- Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/