bridged ipfw problem in FreeBSD 5.2beta

[Ganbold]

Hi,

Thanks for reply. How can check bridge collision? I checked
netstat -in to see network card states. But there is no any collisions.
One strange thing is even after reboot bridge doesn't work. Traffics from 
outside is
coming to external interface but there is no traffic coming to internal 
interface.
I rebooted several times, even I tried manually restart ipfw like 
/etc/rc.d/ipfw restart.
But no luck. Then I disconnected cable from external card and connected 
directly
to my switch Cisco 4006 in order to pass all traffic directly without 
bridge. It of course
worked. Then I disconnected back the cable and connected again to bridge 
machine
external network card again. It didn't work. Then I tried to restart ipfw 
and it worked again luckily.
Does somebody have any idea?

At 08:57 AM 06.12.2003, you wrote:
>On Fri, 5 Dec 2003, Ganbold wrote:
>
> > Bridging work just fine, but after 4 hours it doesn't work. It happened
> > 3 times, all after 4 hours of operation. Machine itself was working
> > fine, only it seems it doesn't forward packets from internal interface
> > to external or internal interface didn't receive anything.
>
>This sounded awfully familiar to me, so I did a little looking. I had a
>similar problem that I never completely tracked down, but I believe it had
>something to do with a bunch of devices (DLink DSL modems) that came
>poorly configured. This was on a 4.4-STABLE era FreeBSD box. Perhaps
>5.2Beta is a bit too bleeding edge for you, I'm still testing a
>5.1-RELEASE box and my servers are still on the 4-STABLE track.
>
>Anyways, at one point, there was 40 of those modems all trying to arp for
>a single IP address and the bridging code was constantly spewing bridge
>collision errors. After a while, the firewall completely stopped passing
>traffic until rebooted.
>
>My solution was to block the traffic from the MAC address range of those
>DSL modems as the first ipfw rule.
>
> > Can somebody tell me where I did wrong in config files? Is it problem
> > with NIC or problem with bridge? Or is it problem related to arp?
>
>My compliments on the amount of detail you've provided. I don't see
>anything obvious, other that the slightly confusing aspect of explictly
>numbering ipfw rules for the first half of the script.
>
> > ${fwcmd} pipe 41 config bw 0kbit/s
> > ${fwcmd} pipe 42 config bw 0kbit/s
> >
> > ${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1
> > ${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0

This is for traffic shaping purpose. 0 means unlimited bandwidth:)

>That gave me a good chuckle, I would guess that you've shut off a
>customer's access for some reason. Giving them 0 bandwidth is certainly a
>solution that had never crossed my mind.
>
> > options         TCPDEBUG
> > options         IPSTEALTH
>
>TCPDEBUG is undocumented, and IPSTEALTH may not be required. I don't use
>IPSTEALTH myself, never saw a real need. Might want to try without them,
>TCPDEBUG sounds scary.

Yes, those I just included if there will be some case when it needs.

> > net.link.ether.inet.max_age=1200
> >
> > net.inet.ip.sourceroute=0
> > net.inet.ip.accept_sourceroute=0
> > net.inet.icmp.bmcastecho=0
> > net.inet.icmp.maskrepl=0
> >
> > net.inet.tcp.blackhole=2
> > net.inet.udp.blackhole=1
> >
> > net.inet.ip.fw.dyn_ack_lifetime=3600
> > net.inet.ip.fw.dyn_udp_lifetime=10
> > net.inet.ip.fw.dyn_buckets=1024
>
>These look fairly good to me, I haven't had to go so far as touching most
>of them on my current box (P4 2.4GHz, with 2 Intel Pro100 and a 3C905,
>peaking at 40Mbit)
>
>---
>Jon Simola <jon at abccom.bc.ca> | "In the near future - corporate networks
>     Systems Administrator     |  reach out to the stars, electrons and light
>      ABC  Communications      |  flow throughout the universe." -- GITS
>
>_______________________________________________
>freebsd-ipfw at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"