ipfw nat and localy initiated UDP traffic

Dmitriy Demidov dima_bsd at inbox.lv
Tue Jul 14 21:55:41 UTC 2009 

Hi list.

I have a problems with ipfw nat. It makes me crazy (I realy have no idea how 
to troubleshoot this problem). Looks like ipfw nat do not pass through itself 
localy initiated UDP traffic! Is there any hint that I do not know about ipfw 
nat? Any clue please :(


ipfw configuration:
(fxp0 - is local network, and em0 is ISP side)
===
add allow ip from any to any via fxp0
add allow udp from any 68 to any 67
add allow udp from any 67 to any 68
nat 1 config log if em0 reset same_ports deny_in
add nat 1 all from any to any via em0
===


When I start nslookup and do queue from NAT machine, I got:
===
(tcpdump on em0)

23:24:10.591959 IP (tos 0x0, ttl 64, id 2646, offset 0, flags [none], proto 
UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? 
forums.freebsd.org. (36)
23:24:15.591009 IP (tos 0x0, ttl 64, id 2647, offset 0, flags [none], proto 
UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? 
forums.freebsd.org. (36)
23:24:20.591563 IP (tos 0x0, ttl 64, id 2674, offset 0, flags [none], proto 
UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? 
forums.freebsd.org. (36)

(nslookup)
> server
Default server: 91.198.156.20
Address: 91.198.156.20#53
> forums.freebsd.org.
;; connection timed out; no servers could be reached
===


In the same time, if I make a queue from machine that is in 192.168.1.0/24 
network (behind nat) I got correct result:
===
(tcpdump on em0)

23:24:59.360796 IP (tos 0x0, ttl 63, id 581, offset 0, flags [none], proto UDP 
(17), length 64) 87.110.118.70.61735 > 91.198.156.20.53: 16871+ A? 
forums.freebsd.org. (36)
23:25:01.052611 IP (tos 0x0, ttl 60, id 49380, offset 0, flags [none], proto 
UDP (17), length 224) 91.198.156.20.53 > 87.110.118.70.61735: 16871 2/3/3 
forums.freebsd.org. CNAME[|domain]

(nslookup)
> server
Default server: 91.198.156.20
Address: 91.198.156.20#53
> forums.freebsd.org.
Server:         91.198.156.20
Address:        91.198.156.20#53

Non-authoritative answer:
forums.freebsd.org      canonical name = freebsd-forums.liquidneon.com.
Name:   freebsd-forums.liquidneon.com
Address: 149.20.54.209

===


On NAT machine I'm using FreeBSD 7.2-STABLE (FreeBSD 7.2-STABLE #0: Wed Jun 24 
12:59:06 EEST 2009 i386). 

GENERIC kernel with extra options:
===
options         IPFIREWALL 
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=10
options         IPFIREWALL_NAT
options         LIBALIAS
options         DUMMYNET
options         HZ="1000"
device          vlan
===

More information about the freebsd-ipfw mailing list