Date: Tue, 28 Oct 2014 05:32:17 -0200 From: Raimundo Santos <raitech@gmail.com> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: ipfw fwd duplicating packets in 9.3-RELEASE Message-ID: <CAGQ6iC-0PJApN=yyhit-Lih5ozTABsXJBV5TXQ7XVf9tpAfbdQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello list! I was testing the behaviour of fwd in ipfw from FreeBSd 9.3-RELEASE, latest updates, GENERIC kernel, in this setup: 1x FreeBSD 9.3 as router, with 3 network interfaces 5x OpenBSD 5.5 as network machines, each one connected to FreeBSD via one port. It is a virtual env. FreeBSD em0 (192.168.0.1) -> OpenBSD#1 em0 (192.168.0.2) FreeBSD em1 (192.168.1.1) -> OpenBSD#2 em0 (192.168.1.2) FreeBSD em2 (192.168.2.1) -> OpenBSD#3 em0 (192.168.2.2) FreeBSD em3 (192.168.3.1) -> OpenBSD#4 em0 (192.168.3.2) FreeBSD em4 (192.168.4.1) -> OpenBSD#5 em1 (192.168.4.2) ipfw rule: fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 in recv em4 Then a ping 192.168.1.2 was issued from OpenBSD#5. Interestingly, this rule put a packet on em0 and em1 in FreeBSD. The packet successfully arrived at OpenBSD#1, where it was discarded, and at OpenBSD#2, where it got its reply. Only these combinations of interface direction do not duplicate the packet: out xmit fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 out xmit em1 and fwd 192.168.0.2 proto icmp src-ip 192.168.4.2 out via em1 Even out recv em4 xmit em1 leads to packet duplication. I think that it is a bad thing for PBR. As I can see from these tests, I can not use all the options to do PBR. In my real needs I have to: 1. let web traffic flow to an cache appliance (from internal network to cache, from internet to cache) 2. do NAT for the internal network under three different links In theory, fwd + in kernel NAT + one_pass=0 could solve the problem. But I am hitting my head in the wall for almost three weeks on this, only now I have the time to test in a more clear way. First I blamed the NAT, after that the one_pass=0, and now, with these results, well... Someone has an explanation about it? Something related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=129036? For my real needs, I figured out that it works with <...before NAT aliasing...> fwd CACHE_IP proto tcp src-ip table(INT) dst-port 80 out recv INT_IFACE <...after NAT dealiasing...> fwd CACHE_IP proto tcp dst-ip table(INT) src-port 80 out recv EXT_IFACE But I am not confident that it will remains in good shape without knowing exactly why fwd behaves that way. Thank you in advance for your time, Raimundo Santos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGQ6iC-0PJApN=yyhit-Lih5ozTABsXJBV5TXQ7XVf9tpAfbdQ>