Date: Sun, 8 Aug 2010 15:30:57 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Michael <mlmichael70@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: nat and dynamic external address Message-ID: <20100808144342.U66749@sola.nimnet.asn.au> In-Reply-To: <4C5A58FE.2050704@gmail.com> References: <4C5A58FE.2050704@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 5 Aug 2010, Michael wrote: > Am I right thinking that "if interface" and "reset" parameters should be > enough to handle changing address (DHCP) on external interface? In theory. > My rules: > > ipfw -q nat 1 config reset if $if_ext log same_ports > ipfw -q add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid > ipfw -q add nat 1 udp from $dns to me in recv $if_ext > > They works fine only when $if_ext gets it's IP address during system boot-up. > If DHCP server is unavailable at the time of rules loading then ipfw says: > > ipfw: cannot get interface name > > (The same happens without "SYNDHCP" option for ipfw in rc.conf) > It loads all rules anyway. Now after DHCP becomes available and $ext_if gets > it's IP address it turns out that NAT is still not working. I have to > manually reload the same ruleset. > > Any ideas how to solve that problem? Michael, you're only releasin snippets of information at a time. This came from a discussion in freebsd-jail, and it was my advice to post to -ipfw rather than -jail if became more complicated: http://lists.freebsd.org/pipermail/freebsd-jail/2010-August/001348.html Only in your later message to -jail and your post to -questions quoted below here did you reveal that this involved a wlan interface, and your issue with your access point / DHCP server being offline when you boot (which perhaps suggests a "then don't do it that way" solution?) ======= from freebsd-questions digest ======= Date: Wed, 04 Aug 2010 20:25:42 +0100 From: Michael <mlmichael70@gmail.com> Subject: ipfw and changing IP address (dhcp) To: freebsd-questions@freebsd.org Message-ID: <4C59BEB6.8050101@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Hello, I'm using ipfw on my laptop running 8.1R amd64. IP address of it's external interface (wlan0) is assigned by DHCP server on home broadband access point. Everything works fine when access point is up and running but if I boot my FreeBSD laptop when access point (DHCP server) is down then obviously my laptop gets no IP. ipfw complains that it "cannot get interface name" and loads firewall rules anyway. Now after some time access point becomes available and freebsd gets IP address automatically but I still have to manually reload the same ipfw ruleset to get internet access. I am using "me" in all of my firewall rules for example: $cmd 20010 allow icmp from me to any out via $if_ext keep-state Is there anything I have forgotten about? Or ipfw simply can't handle such situations? ======= I know only what I've read about setting up wlan interfaces (no wireless here since FreeBSD 5.5 days) so I can't say whether or not you could successfully configure it with an initial IP address before DHCP assigns one as you can with a normal ethernet interface, which might address the issue of wlan0 having no address while loading your ipfw ruleset? So whether this really points to a bug in ipfw nat (re not resetting NAT rules when interface address changes) or whether this is some issue with wlan, or wlan config (possibly involving what we haven't yet seen, maybe either dhclient and/or wpa_supplicant config) I won't dare to speculate. I _can_ say that if you provide specific information (relevant rc.conf settings, all wlan and dhclient config, ifconfig and netstat information at the time the problem occurs) as well as purely verbal descriptions, you'll have a better chance of someone spotting the problem, which while not discounting the possibility of a bug, seems likely a config issue. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100808144342.U66749>