NAT issue in 8.1
Alan Hicks
alan at p-o.co.uk
Wed Aug 11 09:30:51 UTC 2010
Thanks, works perfectly now,
Alan
On 08/10/10 18:59, Eugene Grosbein wrote:
> On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote:
>
>> Having upgraded to Release-8.1, there appears to be an issue with
>> network address translation where a newly booted machine fails to setup
>> nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument'
>
> That's because your kernel (GENERIC?) does not have ipdivert support enabled.
> That's not fatal, see later.
>
>>
>> Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC)
>>
>> rc.conf
>> ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0"
>> ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0"
>> defaultrouter="192.168.0.1"
>> firewall_enable="YES"
>> firewall_type="open"
>> firewall_logging="yes"
>> natd_enable="YES"
>> natd_interface="em0"
>>
>> Boot excerpt from console, typed as it does not make it to
>> /var/log/messages so apologies for any typo's
>>
>> add net default: gateway 192.168.0.1
>> Additional routing options: IP gateway=YES
>> Starting devd.
>> ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based
>> forwarding disabled, default to deny, logging disabled
>> load_dn_sched dn_sched FIFO loaded
>> load_dn_sched dn_sched QFQ loaded
>> load_dn_sched dn_sched RR loaded
>> load_dn_sched dn_sched WF2Q+ loaded
>> load_dn_sched dn_sched PRIO loaded
>> flushed all rules.
>> 00100 allow ip from any to any via lo0
>> 00200 deny ip from any to 127.0.0.0/8
>> 00300 deny ip from 127.0.0.0/8 to any
>> 00400 deny ip from any to ::1
>> 00500 deny ip from ::1 to any
>> 00600 allow ipv6-icmp from :: to ff02::/16
>> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
>> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
>> 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
>> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
>> ipfw: getsockopt(IP_FW_ADD): Invalid argument
>
> At this point, there is still no ipdivert support loaded.
>
>> 65000 allow ip from any to any
>> Firewall rules loaded.
>> Firewall logging enabled.
>> Starting natd.
>
> At this point, kernel module ipdivert.ko is loaded.
>
>> Loading /lib/libalias_cuseeme.so
>> Loading /lib/libalias_ftp.so
>> Loading /lib/libalias_irc.so
>> Loading /lib/libalias_nbt.so
>> Loading /lib/libalias_pptp.so
>> Loading /lib/libalias_skinny.so
>> Loading /lib/libalias_smedia.so
>> Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes
>>
>> Although all appears to be ok, machines on the xl0 192.168.202.0/24
>> subnet can't see the internet. Running /etc/rc.firewall manually fixes
>> the issue.
>
> ipdivert.ko is loaded, hence re-loading firewall rules helps.
>
>>
>> The machine was upgraded from 8.0 using unmodified cvs sources using
>> buildkernel, buildworld, installworld, installkernel mergemaster.
>>
>> Any help appreciated.
>
> Just load ipdivert.ko earlies by means of loader.conf:
>
> echo 'ipdivert_load="YES"'>> /boot/loader.conf
>
> Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT
>
> Eugene Grosbein
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
More information about the freebsd-stable
mailing list