DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th July 2008
EvanED EvanED is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default Weird NAT issues

I'm having problems with my NAT box. Basically, things work in general, but when visiting a fresh site (from inside the LAN), it usually doesn't get a DNS response right away. In addition, it will occasionally forget the IP at which point it goes back to that. Refreshing after it times out works about 70% of the time, and refreshing after a couple time out periods is almost guaranteed to work. I *think* that while the computer on the LAN side of the NAT gateway is having problems if I open up Lynx on the gateway itself it works, but it could just be a timing thing.

The NAT gateway runs FreeBSD 7. There is one computer on the LAN side, running Windows Server 2008 (as a desktop). The network card facing outside is vr0, the one facing inside is em0. (There is also a ral0 wireless card, but it is unused at the moment.)

My "ISP" is actually just another NAT box provided by the apartment; it gives out 192.168 addresses, so to avoid confusion I'm using 10.0 addresses on the LAN.

My /etc/rc.conf:
Code:
keymap="us.dvorak"

ifconfig_vr0="DHCP"
hostname="Conrad.gateway.2wire.net"

zfs_enable="YES"

gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

dhcpd_enable="YES"
dhcpd_ifaces="em0"

samba_enable="YES"
maradns_enable="YES"
sshd_enable="YES"
My /etc/ipnat.rules
Code:
map vr0  10.0.0.0/24 -> 0/32 portmap tcp/udp auto
map ral0 192.168.128.0/24 -> 0/32 portmap tcp/udp auto
The second rule would be for the wireless network if I was worrying about getting that working at the moment. (Low priority.)

I installed the net/isc-dhcp3-server port. /usr/local/etc/dhcpd.conf:
Code:
option domain-name "me.org";
option domain-name-servers 192.168.1.254; #10.0.0.1;   **

default-lease-time 86400;
max-lease-time 604800;

ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
  ## this is the external network; vr0has 192.168.1.74
}

subnet 10.0.0.0 netmask 255.0.0.0 {
  range 10.0.0.100 10.0.0.200;
  option routers 10.0.0.1;
}

subnet 192.168.128.0 netmask 255.255.255.0 {
  ## this is what i would be using for the wireless network
  range 192.168.128.100 192.168.128.200;
  option routers 192.168.128.1;
}
** I also have MaraDNS installed, and tried it with that. It seemed to have similar problems. 192.168.1.254 is the DNS server you get from the ISP's NAT.

Windows picks up the DNS server and gateway fine:
Code:
C:\>ipconfig /all
...
   DHCP Enabled. . . . . . . . . . . : Yes
...
   IPv4 Address. . . . . . . . . . . : 10.0.0.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
...
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 192.168.1.254
There are also a bunch of console messages from smbd every few minutes about denying connections from addresses on the outside of the NAT box, and I am running Samba inside, and it works fine.

Any idea what's wrong or how to go about debugging this?

I had a FreeBSD 6.2 server up for a while and don't remember having problems getting the basics working, but it was with slightly different hardware (processor and motherboard) because I wanted ZFS.
Reply With Quote
  #2   (View Single Post)  
Old 11th July 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by EvanED View Post
In addition, it will occasionally forget the IP at which point it goes back to that.
Sorry for not reading your full post, Im in rush atm

Which site the dns server *forget* the IP? I suspect the TTL is too short here. IIRC, there are some sites like facebook which uses DNS roundrobin, the TTL is set only for 1 min. If the next dns request is > 1 min after the previous one, the dns server *forgets* IP (A record) and needs to query the authorative dns server of the facebook site again.

TTL can be checked with dig
Reply With Quote
  #3   (View Single Post)  
Old 11th July 2008
EvanED EvanED is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

Virtually any. Google, Slashdot, Facebook, Microsoft, Daemonforums, XKCD; pretty much if I've gone to the site more than a time or two, I've seen this issue.
Reply With Quote
  #4   (View Single Post)  
Old 11th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

You could use tcpdump to look at the DNS traffic passing through your FreeBSD box
Code:
# tcpdump -nvv -i  vr0 -s512  port domain
You also can run two instances of tcpdump: first one for the outside interface vr0 and second one for the internal interface em0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Weird time issues schrodinger OpenBSD General 7 26th October 2009 03:20 PM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM
squid cachemgr.cgi output weird chavez243 FreeBSD Ports and Packages 3 25th October 2008 02:58 PM
Weird network problem rex FreeBSD General 5 16th September 2008 02:05 AM
weird history problem mmusang FreeBSD General 2 17th May 2008 07:07 PM


All times are GMT. The time now is 01:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick