Date: Thu, 18 Dec 2008 17:02:25 -0500 From: Joe Marcus Clarke <marcus@FreeBSD.org> To: "Li, Qing" <qing.li@bluecoat.com> Cc: current <current@FreeBSD.org> Subject: RE: NAT (ipfw/natd) broken in latest -CURRENT Message-ID: <1229637745.60337.62.camel@shumai.marcuscom.com> In-Reply-To: <B583FBF374231F4A89607B4D08578A4302A26B5F@bcs-mail03.internal.cacheflow.com> References: <1229476796.49670.7.camel@shumai.marcuscom.com> <B583FBF374231F4A89607B4D08578A4302A26B5F@bcs-mail03.internal.cacheflow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-k+RgLGG9o7u5cEn2NoGR Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2008-12-18 at 12:53 -0800, Li, Qing wrote: > Hi Joe, >=20 > I have been trying to recreate your problem but my setup seem to > work. I then noticed in your original netstat output the p2p > host route installed by the tunnel interface has the "G" flag > set. This will certainly cause a routing problem because that > route is not an indirect route. I modified the kernel code to simulate > this condition and I do see the error on output, which is expected. >=20 > I assume this problem is consistently reproducible in your setup ? Absolutely. Every time I setup the p2p tunnel with the non-proxy ARP address range. Traffic flows outbound, but never inbound. Your analysis sounds correct. The kernel doesn't know the interface on which to encapsulate the return traffic. Joe >=20 > -- Qing >=20 >=20 > > -----Original Message----- > > From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd- > > current@freebsd.org] On Behalf Of Joe Marcus Clarke > > Sent: Tuesday, December 16, 2008 5:20 PM > > To: current > > Subject: NAT (ipfw/natd) broken in latest -CURRENT > >=20 > > I just upgraded my i386 -CURRENT box from November 14 to today, and > now > > my SSH-over-PPP VPN tunnel no longer works. I did some packet > captures, > > and it appears that NAT is no longer working. If I send a telnet > > packet > > from my client side over the PPP tunnel, I see the SYN go out on the > > server side network properly translated. The destination host ACKs > > correctly, but the ACK never goes back across the tunnel. It's as if > > natd is no longer translating the packet on the inbound path. Besides > > the upgrade, nothing has changed in my environment. > >=20 > > My ipfw show looks like: > >=20 > > 00050 22974 4677637 divert 8668 ip4 from any to any via em0 > > 00100 194 20696 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 65000 24714 4934785 allow ip from any to any > > 65535 5 396 deny ip from any to any > >=20 > > I am running natd as: > >=20 > > /sbin/natd -s -m -skinny_port 2000 -n em0 > >=20 > > The ifconfig for my tunnel interface is: > >=20 > > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1300 > > inet 10.1.1.1 --> 10.1.1.76 netmask 0xffffff00 > > inet6 fe80::211:11ff:fe10:461e%tun0 prefixlen 64 scopeid 0x5 > > Opened by PID 8018 > >=20 > > My netstat on the server side looks like: > >=20 > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire > > default 172.18.254.1 UGS 0 46685 em0 > > 10.1.1.76 link#5 UGH 0 1735 tun0 > > 127.0.0.1 link#3 UH 0 1171 lo0 > > 172.18.254.0/24 link#1 U 0 0 em0 > > 172.18.254.237/32 link#1 U 0 8 em0 > >=20 > > The server's uname is: > >=20 > > FreeBSD jclarke-pc.cisco.com 8.0-CURRENT FreeBSD 8.0-CURRENT #130: Tue > > Dec 16 15:42:09 EST 2008 > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC i386 > >=20 > > The previous, working uname was: > >=20 > > FreeBSD 8.0-CURRENT #129: Fri Nov 14 13:51:50 EST 2008 > > marcus@jclarke-pc.cisco.com:/usr/obj/usr/src/sys/JCLARKE-PC > >=20 > > Joe > >=20 > > -- > > Joe Marcus Clarke > > FreeBSD GNOME Team :: gnome@FreeBSD.org > > FreeNode / #freebsd-gnome > > http://www.FreeBSD.org/gnome >=20 --=20 Joe Marcus Clarke FreeBSD GNOME Team :: gnome@FreeBSD.org FreeNode / #freebsd-gnome http://www.FreeBSD.org/gnome --=-k+RgLGG9o7u5cEn2NoGR Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAklKyHAACgkQb2iPiv4Uz4dU2ACgjrkLx48I3Y66Ze30mmpj7kf5 ynIAoIj2E/tsj4MMbZg6ZMNeXB5UOV1Y =mvTN -----END PGP SIGNATURE----- --=-k+RgLGG9o7u5cEn2NoGR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1229637745.60337.62.camel>