From owner-freebsd-current@FreeBSD.ORG Wed Dec 17 18:19:20 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A542B106564A; Wed, 17 Dec 2008 18:19:20 +0000 (UTC) (envelope-from marcus@freebsd.org) Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by mx1.freebsd.org (Postfix) with ESMTP id 726D08FC24; Wed, 17 Dec 2008 18:19:20 +0000 (UTC) (envelope-from marcus@freebsd.org) X-TACSUNS: Virus Scanned Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id mBHIJ2un011117; Wed, 17 Dec 2008 13:19:02 -0500 (EST) Received: from [64.102.220.171] (dhcp-64-102-220-171.cisco.com [64.102.220.171]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id mBHIIdFf027098; Wed, 17 Dec 2008 13:18:39 -0500 (EST) Message-ID: <4949427F.50004@freebsd.org> Date: Wed, 17 Dec 2008 13:18:39 -0500 From: Joe Marcus Clarke Organization: FreeBSD, Inc. User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: "Li, Qing" References: <1229476796.49670.7.camel@shumai.marcuscom.com> <4948C7BE.7070602@oltrelinux.com><200812171148.38528.zec@icir.org> <49491BFA.5090605@freebsd.org> <4949379F.2070105@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Qing Li , Marko Zec , Julian Elischer , freebsd-current@freebsd.org, Kip Macy Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2008 18:19:20 -0000 Li, Qing wrote: > Yes, it appears to be arp-v2 related changes. I am suspecting the p2p > link type and the fact the tunnel end points appear to be on-link with > each other might be the problem. > > I am investigating the problem right now ... FYI, I just switched my config to do proxy arp with a LAN IP, and it works. My new ifconfig looks like: em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:11:11:10:46:1e inet 172.18.254.236 netmask 0xffffff00 broadcast 172.18.254.255 inet6 fe80::211:11ff:fe10:461e%em0 prefixlen 64 scopeid 0x1 inet 172.18.254.237 netmask 0xffffffff broadcast 172.18.254.237 inet6 2003:a02::1 prefixlen 64 media: Ethernet 100baseTX (100baseTX ) status: active tun0: flags=8051 metric 0 mtu 1300 inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5 inet 172.18.254.237 --> 172.18.254.240 netmask 0xffffff00 Opened by PID 35867 My new netstat looks like: Destination Gateway Flags Refs Use Netif Expire default 172.18.254.1 UGS 0 31659 em0 127.0.0.1 link#3 UH 0 720 lo0 172.18.254.0/24 link#1 U 0 8 em0 172.18.254.237/32 link#1 U 0 8 em0 172.18.254.240 link#5 UH 0 1060 tun0 Joe > > --Qing > >> -----Original Message----- >> From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- >> current@freebsd.org] On Behalf Of Julian Elischer >> Sent: Wednesday, December 17, 2008 9:32 AM >> To: Joe Marcus Clarke >> Cc: Qing Li; Marko Zec; Kip Macy; freebsd-current@freebsd.org >> Subject: Re: NAT (ipfw/natd) broken in latest -CURRENT >> >> Joe Marcus Clarke wrote: >>> Marko Zec wrote: >>>> On Wednesday 17 December 2008 10:34:54 Paolo Pisati wrote: >>>>> Joe Marcus Clarke wrote: >>>>>> I just upgraded my i386 -CURRENT box from November 14 to today, >> and >>>>>> now my SSH-over-PPP VPN tunnel no longer works. I did some > packet >>>>>> captures, and it appears that NAT is no longer working. If I > send >>>>>> a telnet packet from my client side over the PPP tunnel, I see > the >>>>>> SYN go out on the server side network properly translated. The >>>>>> destination host ACKs correctly, but the ACK never goes back >> across >>>>>> the tunnel. It's as if natd is no longer translating the packet >> on >>>>>> the inbound path. Besides the upgrade, nothing has changed in my >>>>>> environment. >>>>> lately some work has been done on the vimage and routing tree > stuff, >>>>> thus your best bet is to go back >>>>> some days and try again. >>>> Hi Joe, >>>> >>>> could you try building your kernel with options VIMAGE_GLOBALS and >> tell >>>> us whether this makes any difference - turning on VIMAGE_GLOBALS >> should >>>> revert certain aspects of virtualization changes that recently got >>>> merged into the tree. >>> Thanks for the suggestion, but the results are the same. I turned > on >>> -verbose on natd, and I see the ACK packet come back from the >>> destination, and natd is translating it correctly. However, I never >> see >>> the ACK on the remote end of the tunnel. It looks like a routing >>> problem at this point. It's as if the kernel doesn't know on what >>> interface to encapsulate the reply packet. >> the arpv2 changes seem to have somehow changed point-to-point routes >> so it may be related to that.. >> I'll wait for Qing or Kmacy to check.... >> >> >>> Joe >>> >>>> Cheers, >>>> >>>> Marko >>>> >>>> >>> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current- >> unsubscribe@freebsd.org" > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > -- Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome