Bridge and NAT problems

Bruce A. Mah bmah at freebsd.org
Fri Feb 23 06:06:33 UTC 2007 

If memory serves me right, Andrea Venturoli wrote:
> Bruce A. Mah wrote:
> 
>> You didn't say which bridging driver or version of FreeBSD you're using,
>> but it sounds to me like you're using bridge(4), right?
> 
> Yes.
> 
> 
> 
>> This is a
>> fairly well known problem, which I wrote a little bit about here:
>>
>> http://lists.freebsd.org/pipermail/freebsd-net/2004-December/006075.html
>>
>> (This message describes a scenario with ipf, but it applies equally well
>> I think to ipfw.)
> 
> Read that.
> So I guess my analysis was wrong in that I thought natd was not 
> reconverting packets; from what you say I understand the problem is that 
> this packets are not diverted to natd, right?
> The details are right now beyond my understanding...

Without more details it's difficult to say.  Not to be overly critical,
but "does not work" from your original post isn't real helpful,
unfortunately.  If you had packet traces of, say, attempted pings, that
would give a lot more data to help say exactly what the problem is.  It
just sounds *very* similar to a problem I spent a lot of time working on.

>> If you can, try switching to using if_bridge(4).
> 
> I cannot right now, since I have to wait to be physically at this box, 
> but I could try in the future. Do you see any drawback?

None I can think of.  Note that bridge(4) is deprecated in RELENG_6 and
is gone entirely from HEAD (in favor of if_bridge(4)).  if_bridge(4) is
also more featureful and is being actively worked on.

>> You (probably) want to
>> assign the public NAT address to the bridge0 interface, and leave the
>> physical interfaces making up the bridges (xl0 and rl1 in your case)
>> unnumbered.  I've had good experiences with this type of configuration.
> 
> Ok.
> So I would only need to
> create the bridge0 interface as per man page
> sysctl net.link.bridge.ipfw=1
> sysctl net.link.bridge.pfil_onlyip=0
> change every reference to rl1 in my ipfw ruleset to bridge0
> 
> Anything else?
> Would everything work the same as now (apart from this "feature" which 
> is causing me troubles)?

I think that'll work, yes.

(Caveat:  If you are doing other filtering in ipfw you might need to
make some additional adjustments, but if all you're doing is NAT/divert,
"change every reference to rl1 ... to bridge0" should work just fine.)

Bruce.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070223/40378658/signature.pgp

More information about the freebsd-net mailing list