From owner-freebsd-stable@FreeBSD.ORG Sun Oct 12 22:20:02 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 130DB16A4B3; Sun, 12 Oct 2003 22:20:02 -0700 (PDT) Received: from lerami.lerctr.org (lerami.lerctr.org [207.158.72.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D77A43FBD; Sun, 12 Oct 2003 22:19:58 -0700 (PDT) (envelope-from ler@lerctr.org) Received: from lerlaptop.lerctr.org (lerlaptop.lerctr.org [207.158.72.14]) (authenticated bits=0)h9D5Js7h025967; Mon, 13 Oct 2003 00:19:54 -0500 (CDT) Date: Mon, 13 Oct 2003 00:19:54 -0500 From: Larry Rosenman To: freebsd-stable@freebsd.org Message-ID: <10390000.1066022394@lerlaptop.lerctr.org> X-Mailer: Mulberry/3.1.0b8 (Linux/x86) X-PGP-Info: All other keys are old/dead. X-PGP-Key: 0x3c49bdd6 X-PGP-Fingerprint: D0D1 3C11 F42F 6B29 FA67 6BF3 AD13 4685 3C49 BDD6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: darrenr@freebsd.org Subject: IPNAT/Slow TCP/Pings fine/4.8-REL X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2003 05:20:02 -0000 I was trying(!) to help a friend out, and built a 4.8-REL box to play Router/NAT and it's ALMOST working. I can't seem to telnet/surf from NAT'd addresses, but PING works fine. rl1: rl1: flags=8843 mtu 1500 inet 207.168.119.2 netmask 0xffffff00 broadcast 207.168.119.255 inet6 fe80::240:5ff:fe82:f0e8%rl1 prefixlen 64 scopeid 0x2 ether 00:40:05:82:f0:e8 media: Ethernet autoselect (100baseTX ) status: active rl2: rl2: flags=8843 mtu 1500 inet 192.168.30.125 netmask 0xffffff00 broadcast 192.168.30.255 inet6 fe80::205:5dff:fe50:fc65%rl2 prefixlen 64 scopeid 0x3 ether 00:05:5d:50:fc:65 media: Ethernet autoselect (100baseTX ) status: active /etc/ipnat.rules: $ cat /etc/ipnat.rules map rl1 192.168.30.0/24 -> 0.0.0.0/32 portmap tcp/udp 1025:65000 map rl1 192.168.30.0/24 -> 0.0.0.0/32 $ /etc/rc.conf: $ cat /etc/rc.conf # -- sysinstall generated deltas -- # Sat Oct 11 18:43:56 2003 # Created: Sat Oct 11 18:43:56 2003 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="207.168.119.1" hostname="fw.imscomp.com" #ifconfig_rl2_alias0="inet 192.168.0.1 netmask 255.255.255.0" ifconfig_rl2="inet 192.168.30.125 netmask 255.255.255.0" ifconfig_rl1="inet 207.168.119.2 netmask 255.255.255.0" inetd_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" nfs_reserved_port_only="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" ipnat_enable="YES" # Set to YES to enable ipnat functionality ipmon_enable="YES" # Set to YES for ipmon; needs ipfilter or ipnat gateway_enable="YES" $ /etc/sysctl.conf: $ cat /etc/sysctl.conf # $FreeBSD: src/etc/sysctl.conf,v 1.1.2.3 2002/04/15 00:44:13 dougb Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=1 $ Kernel config: $ cat IMSFW # # GENERIC -- Generic kernel configuration file for FreeBSD/i386 # # For more information on this file, please read the handbook section on # Kernel Configuration Files: # # http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-conf ig.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you are # in doubt as to the purpose or necessity of a line, check first in LINT. # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.51.2.2 2003/03/25 23:35:15 jhb Exp $ machine i386 cpu I686_CPU ident IMSFW maxusers 0 #makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev # To make an SMP kernel, the next two are needed #options SMP # Symmetric MultiProcessor Kernel #options APIC_IO # Symmetric (APIC) I/O # To support HyperThreading, HTT is needed in addition to SMP and APIC_IO #options HTT # HyperThreading Technology device isa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 # # If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy, # don't use the above line for fdc0 but the following one: #device fdc0 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering device scbus # SCSI bus (required) device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? #options XSERVER # support for X server on a vt console #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines #options PCVT_SCANSET=2 # IBM keyboards are non-std device agp # support several AGP chipsets # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Power management support (see LINT for more options) device apm0 at nexus? flags 0x20 # Advanced Power Management # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer device plip # TCP/IP over parallel device ppi # Parallel port interface device #device vpo # Requires scbus and da # PCI Ethernet NICs. # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device rl # RealTek 8129/8139 # Pseudo devices - the number indicates how many units to allocate. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device sl 1 # Kernel SLIP pseudo-device ppp 1 # Kernel PPP pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" pseudo-device gif # IPv6 and IPv4 tunneling pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device usb # USB Bus (required) device ugen # Generic device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse device uscanner # Scanners device urio # Diamond Rio MP3 Player # USB Ethernet, requires mii device aue # ADMtek USB ethernet device cue # CATC USB ethernet device kue # Kawasaki LSI USB ethernet options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging $ What am I missing? What else do you/I need? THanks for any QUICK replies! -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749