Date: Tue, 26 Mar 2013 17:28:41 +0200 From: Jukka Ukkonen <jau@oxit.fi> To: ipfw@freebsd.org Subject: kernel NAT with ipfw failing Message-ID: <5151BEA9.2080907@oxit.fi>
next in thread | raw e-mail | index | archive | help
Hello, Does anyone have a confirmed working example (one that is in daily active use) of the ipfw NAT inside the kernel? I have been trying to create a 1-to-1 static NAT between a small intranet and the corresponding external addresses. This keeps persistently failing and the whatever I do the intranet addresses are being leaked out of the external NIC. I am starting to suspect there is something going seriously wrong with the NAT implementation in ipfw. All the necessary kernel modules should be loaded... 9 1 0xffffffff81a30000 79a0 if_tap.ko 10 4 0xffffffff81a38000 1ad58 ipfw.ko 11 2 0xffffffff81a53000 6aa8 bridgestp.ko 12 1 0xffffffff81a5a000 e620 if_bridge.ko ... 51 2 0xffffffff81ebe000 14510 libalias.ko 52 1 0xffffffff81ed3000 4118 ipfw_nat.ko 53 1 0xffffffff81ed8000 4c60 ipdivert.ko 54 1 0xffffffff81edd000 15aa0 dummynet.ko Checksum offloading has been turned off from the interfaces, both internal and external. (em0, em1) The output from 'uname -a' is... FreeBSD sleipnir 9.1-STABLE FreeBSD 9.1-STABLE #0 r248699M: Mon Mar 25 12:26:33 EET 2013 root@sleipnir:/usr/obj/usr/src/sys/Sleipnir amd64 The only real difference between the GENERIC kernel and my own custom kernel is the setting... options ROUTETABLES=4 Could this break the NAT implementation? I have previously done similar things using divert sockets and the natd. They have always worked just fine, except they have maybe wasted some time and resources bouncing back and forth between the kernel and user space. So, this has been a very surprising experience. What should I try next? Cheers, --jau
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5151BEA9.2080907>