Date: Wed, 26 Jun 2019 12:47:31 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Patrick M. Hausen" <hausen@punkt.de>, FreeBSD Net <freebsd-net@freebsd.org> Cc: mops@punkt.de Subject: Re: IPFW NAT64 changed 11.2 --> 11.3? Message-ID: <71dacccb-2500-6d7e-c890-2733d15fbbe5@yandex.ru> In-Reply-To: <950200A8-6D36-46FE-B0DD-BA6EA860FEB7@punkt.de> References: <950200A8-6D36-46FE-B0DD-BA6EA860FEB7@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --1YD3tFUMsfliSOSZGK3svU5l6XBtnKkPA Content-Type: multipart/mixed; boundary="aVGhQI4P7SmfBO1YiiX2PbMGHevZcXrtj"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "Patrick M. Hausen" <hausen@punkt.de>, FreeBSD Net <freebsd-net@freebsd.org> Cc: mops@punkt.de Message-ID: <71dacccb-2500-6d7e-c890-2733d15fbbe5@yandex.ru> Subject: Re: IPFW NAT64 changed 11.2 --> 11.3? References: <950200A8-6D36-46FE-B0DD-BA6EA860FEB7@punkt.de> In-Reply-To: <950200A8-6D36-46FE-B0DD-BA6EA860FEB7@punkt.de> --aVGhQI4P7SmfBO1YiiX2PbMGHevZcXrtj Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26.06.2019 11:05, Patrick M. Hausen wrote: > Hi all, >=20 > we have a bit of a problem with some new servers that > use NAT64 to access certain services that offer only > legacy IP - like github. >=20 > As far as I found the respective NAT64 gateways (in jails > with VNET) are configured identically except for the > particular addresses, of course. >=20 > Yet, 11.2 works, 11.3-RC1 doesn=E2=80=99t> Any hints welcome. Check the output of the following commands on both translators: # sysctl net.inet.ip.fw | grep nat64 # ipfw nat64lsn all list # ipfw nat64lsn NAT64 stats # ipfw nat64lsn NAT64 config log # ifconfig ipfwlog0 create # tcpdump -nvi ipfwlog0 Check the counters of rules with nat64lsn action, probably you use netisr output (default mode) and have traffic loops, i.e. a packet captured by NAT64 instance several times. Your rules looks like direct output is preferable for you (try to set net.inet.ip.fw.nat64_direct_output=3D1). --=20 WBR, Andrey V. Elsukov --aVGhQI4P7SmfBO1YiiX2PbMGHevZcXrtj-- --1YD3tFUMsfliSOSZGK3svU5l6XBtnKkPA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0TPzMACgkQAcXqBBDI oXqrNggAuiyQTuhI4S9jYO2tH2AEMjqs6LYVssnelPyi/dxbuCkvn/GvXn8y+nEN Vo2ArYzXsn60UtnEnwcrK4jnyVRRcVQ2/GyFcBY7QV0EO5zT2GkNIJgWrD78pwU1 LO7cJ48jL/Pi8Ux4ZajQ23NCIOS5p+Q8XH38qEGUZ/nsOBLXQqSMKjvdjHp6TsTm 3y0AwxTNJfnO/0Fyti825sgRwvvZmSLs8ScGkOcfNsXeKMeMMve4DS9Msv425Bp2 3aZriGU7MLO4k/QdjhiZsrsC2JktJXtT7N+YSBpSlJ1aH3Ri8UP4lJJ+ctNi6Ss/ AwdhuWnakurbqRcOrwoN2gCDxpEAsg== =xWDO -----END PGP SIGNATURE----- --1YD3tFUMsfliSOSZGK3svU5l6XBtnKkPA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71dacccb-2500-6d7e-c890-2733d15fbbe5>