![]() |
|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
I have a device rl0 for the wan and a device rl1 from the lan. The lan has no problem leasing clients via dhcpd and the wan has no problem retrieving a lease via dhclient. The problem is that the traffic coming from the lan does not pass on to the wan. I'm assuming I may have a routing problem, but I'm not sure. Any assistance is appreciated, please let me know if you need more information. Here is the critical configuration info:
Code:
# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default XXX.XXX.XXX.1 UGS 0 5 rl0 XXX.XXX.XXX/22 link#1 UC 0 0 rl0 XXX.XXX.XXX.1 00:1a:2f:8b:30:05 UHLW 2 0 rl0 1199 127.0.0.1 127.0.0.1 UH 0 0 lo0 169.254.75/24 link#2 UC 0 0 rl1 169.254.75.254 00:1f:33:cd:a9:59 UHLW 1 358 rl1 1170 ---------------- # cat /etc/rc.conf gateway_enable="YES" natd_enable="YES" natd_interface="rl0" ipnat_enable="YES" ifconfig_rl1="inet 169.254.75.1 netmask 255.255.255.0" dhcpd_enable="YES" dhcpd_ifaces="rl1" sshd_enable="YES" ifconfig_rl0="DHCP" firewall_enable="YES" firewall_script="/etc/ipfw.rules" ------------------ # cat /etc/ipfw.rules IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any # open port ftp (20,21), ssh (22), mail (25) # http (80), dns (53) etc $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out # deny and log everything $IPF 500 deny log all from any to any ---------------------- # cat /usr/src/sys/i386/conf/MYKERNEL [truncated] options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPDIVERT [truncated] Last edited by Magoo; 30th October 2008 at 01:39 AM. |
|
|||
![]()
I tried doing the following now:
Code:
Firewall rules added to beginning: /sbin/ipfw add divert natd all from any to any via rl0 /sbin/ipfw add pass all from any to any Added to rc.conf: natd_flags="-f /etc/natd.conf" Added to /etc/natd.conf: interface rl0 use_sockets yes same_ports yes dynamic yes |
|
|||
![]()
I tried doing the following now:
Code:
Firewall rules added to beginning: /sbin/ipfw add divert natd all from any to any via rl0 /sbin/ipfw add pass all from any to any Added to rc.conf: natd_flags="-f /etc/natd.conf" Added to /etc/natd.conf: interface rl0 use_sockets yes same_ports yes dynamic yes |
|
|||
![]()
I also added
map rl0 169.254.75.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map rl0 169.254.75.0/24 -> 0.0.0.0/32 to ipnat.conf and then ran ipnat -f /etc/ipnat.conf Still with no success. |
|
|||
![]()
I tried putting the ruleset you listed in ipfw.rules by itself and I still didn't see traffic passing from rl1 to rl0. I also tried those rules in conjunction with the rules I listed in different orders and it still didn't pass through. I replaced <privatesubnet> with 169.254.75.0/24 by the way. Any ideas what I might be doing wrong?
|
|
|||
![]() Code:
--- # ifconfig rl0 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet XXX.XXX.XXX.69 netmask 0xfffffe00 broadcast 255.255.255.255 ether 00:c0:f0:54:c0:bd media: Ethernet autoselect (100baseTX <full-duplex>) status: active --- # ifconfig rl1 rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 169.254.75.1 netmask 0xffffff00 broadcast 169.254.75.255 ether 00:50:ba:5f:0c:d4 media: Ethernet autoselect (100baseTX <full-duplex>) status: active --- # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default XXX.XXX.XXX.1 UGS 0 4 rl0 XXX.XXX.XXX/23 link#1 UC 0 0 rl0 XXX.XXX.XXX.1 00:1a:2f:8b:30:05 UHLW 2 0 rl0 1190 127.0.0.1 127.0.0.1 UH 0 0 lo0 169.254.75/24 link#2 UC 0 0 rl1 169.254.75.254 00:1f:33:cd:a9:59 UHLW 2 194 rl1 1160 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#3 UHL lo0 ff01:3::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 --- # pgrep -lf natd 419 natd -same_ports -use_sockets -dynamic -interface rl0 --- # ipfw show 00010 0 0 allow ip from any to any via lo0 00020 0 0 deny ip from any to 127.0.0.0/8 00030 0 0 deny ip from 127.0.0.0/8 to any 00040 0 0 deny tcp from any to any frag 00050 0 0 check-state 00060 685 69553 allow tcp from any to any established 00070 9 697 allow ip from any to any out keep-state 00080 1 61 allow icmp from any to any 00130 3 180 allow tcp from any to any dst-port 22 in 00140 0 0 allow tcp from any to any dst-port 22 out 00170 0 0 allow udp from any to any dst-port 53 in 00175 0 0 allow tcp from any to any dst-port 53 in 00180 0 0 allow udp from any to any dst-port 53 out 00185 0 0 allow tcp from any to any dst-port 53 out 00200 0 0 allow tcp from any to any dst-port 80 in 00210 0 0 allow tcp from any to any dst-port 80 out 00341 2 80 divert 8668 ip from any to me in recv rl0 00342 0 0 allow ip from any to 169.254.75.0/24 in recv rl0 00343 0 0 allow ip from any to 169.254.75.0/24 out xmit rl1 00344 0 0 allow ip from 169.254.75.0/24 to any in recv rl1 00345 0 0 divert 8668 ip from 169.254.75.0/24 to any out xmit rl0 00346 0 0 allow ip from me to any out xmit rl0 00500 52 19988 deny log logamount 10 ip from any to any 65535 0 0 allow ip from any to any |
|
||||
![]()
Ah, you're using stateful filtering rules and natd. Good luck with that.
![]() Try it without the stateful rules. You're also using link-local auto-configuration IPs (169.254.x.x). Try using a proper private subnet like 192.168.x.x, or 10.x.x.x. Other than that, the network config looks correct. |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
trouble with binat routing | SystemDog | OpenBSD General | 3 | 21st December 2009 04:01 PM |
Loose UDP routing? | spiller37 | OpenBSD Security | 4 | 31st July 2009 11:10 PM |
double nat routing | giagni | General software and network | 5 | 22nd May 2009 07:10 PM |
Routing and routing some more! | Weaseal | FreeBSD General | 1 | 19th August 2008 01:39 PM |
OpenBSD and routing | cchapman | OpenBSD General | 5 | 25th July 2008 05:55 PM |