NAT (ipfw/natd) broken in latest -CURRENT

Julian Elischer julian at
Wed Dec 17 18:01:29 UTC 2008

Joe Marcus Clarke wrote:
> Marko Zec wrote:
>> On Wednesday 17 December 2008 10:34:54 Paolo Pisati wrote:
>>> Joe Marcus Clarke wrote:
>>>> I just upgraded my i386 -CURRENT box from November 14 to today, and
>>>> now my SSH-over-PPP VPN tunnel no longer works.  I did some packet
>>>> captures, and it appears that NAT is no longer working.  If I send
>>>> a telnet packet from my client side over the PPP tunnel, I see the
>>>> SYN go out on the server side network properly translated.  The
>>>> destination host ACKs correctly, but the ACK never goes back across
>>>> the tunnel.  It's as if natd is no longer translating the packet on
>>>> the inbound path.  Besides the upgrade, nothing has changed in my
>>>> environment.
>>> lately some work has been done on the vimage and routing tree stuff,
>>> thus your best bet  is to go back
>>> some days and try again.
>> Hi Joe,
>> could you try building your kernel with options VIMAGE_GLOBALS and tell 
>> us whether this makes any difference - turning on VIMAGE_GLOBALS should 
>> revert certain aspects of virtualization changes that recently got 
>> merged into the tree.
> Thanks for the suggestion, but the results are the same.  I turned on
> -verbose on natd, and I see the ACK packet come back from the
> destination, and natd is translating it correctly.  However, I never see
> the ACK on the remote end of the tunnel.  It looks like a routing
> problem at this point.  It's as if the kernel doesn't know on what
> interface to encapsulate the reply packet.

the arpv2 changes seem to have somehow changed point-to-point routes
so it may be related to that..
I'll wait for Qing or Kmacy to check....

> Joe
>> Cheers,
>> Marko

More information about the freebsd-current mailing list