From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 14 21:55:40 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80F1210656C2 for ; Tue, 14 Jul 2009 21:55:40 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp1.apollo.lv (smtp1.apollo.lv [80.232.168.211]) by mx1.freebsd.org (Postfix) with ESMTP id CAD168FC0A for ; Tue, 14 Jul 2009 21:55:39 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Cloudmark-Score: 0.000000 [] X-Virusscan: Clamd Received: from [87.110.118.70] ([87.110.118.70] verified) by smtp1.apollo.lv (CommuniGate Pro SMTP 5.2.10) with ESMTP id 586382448 for freebsd-ipfw@freebsd.org; Tue, 14 Jul 2009 23:55:35 +0300 From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Tue, 14 Jul 2009 23:55:34 +0300 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907142355.34973.dima_bsd@inbox.lv> Subject: ipfw nat and localy initiated UDP traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 21:55:41 -0000 Hi list. I have a problems with ipfw nat. It makes me crazy (I realy have no idea how to troubleshoot this problem). Looks like ipfw nat do not pass through itself localy initiated UDP traffic! Is there any hint that I do not know about ipfw nat? Any clue please :( ipfw configuration: (fxp0 - is local network, and em0 is ISP side) === add allow ip from any to any via fxp0 add allow udp from any 68 to any 67 add allow udp from any 67 to any 68 nat 1 config log if em0 reset same_ports deny_in add nat 1 all from any to any via em0 === When I start nslookup and do queue from NAT machine, I got: === (tcpdump on em0) 23:24:10.591959 IP (tos 0x0, ttl 64, id 2646, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) 23:24:15.591009 IP (tos 0x0, ttl 64, id 2647, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) 23:24:20.591563 IP (tos 0x0, ttl 64, id 2674, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) (nslookup) > server Default server: 91.198.156.20 Address: 91.198.156.20#53 > forums.freebsd.org. ;; connection timed out; no servers could be reached === In the same time, if I make a queue from machine that is in 192.168.1.0/24 network (behind nat) I got correct result: === (tcpdump on em0) 23:24:59.360796 IP (tos 0x0, ttl 63, id 581, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.61735 > 91.198.156.20.53: 16871+ A? forums.freebsd.org. (36) 23:25:01.052611 IP (tos 0x0, ttl 60, id 49380, offset 0, flags [none], proto UDP (17), length 224) 91.198.156.20.53 > 87.110.118.70.61735: 16871 2/3/3 forums.freebsd.org. CNAME[|domain] (nslookup) > server Default server: 91.198.156.20 Address: 91.198.156.20#53 > forums.freebsd.org. Server: 91.198.156.20 Address: 91.198.156.20#53 Non-authoritative answer: forums.freebsd.org canonical name = freebsd-forums.liquidneon.com. Name: freebsd-forums.liquidneon.com Address: 149.20.54.209 === On NAT machine I'm using FreeBSD 7.2-STABLE (FreeBSD 7.2-STABLE #0: Wed Jun 24 12:59:06 EEST 2009 i386). GENERIC kernel with extra options: === options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_NAT options LIBALIAS options DUMMYNET options HZ="1000" device vlan ===