kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet

Jose M Rodriguez josemi at freebsd.jazztel.es
Fri Jun 4 15:11:14 UTC 2010 

El 03/06/2010 9:15, Ian Smith escribió:
> On Wed, 2 Jun 2010, Jose M Rodriguez wrote:
>   >  The following reply was made to PR kern/147191; it has been noted by GNATS.
>   >
>   >  From: Jose M Rodriguez<josemi at freebsd.jazztel.es>
>   >  To: bug-followup at FreeBSD.org
>   >  Cc:
>   >  Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet
>   >  Date: Wed, 02 Jun 2010 04:31:49 +0200
> [..]
>   >   El 02/06/2010 2:37, Jose M Rodriguez escribió:
>   >   >  Seems that this must be reopen.
>   >   >  ...
>   >   Seems this one worked, but I don't remember this last time I use ipfw on
>   >   FreeBSD-7
>   >
> [..]
>   >   Content-Disposition: attachment;
>   >    filename="rc.firewall.router.4"
>   >
>   >   #!/bin/sh -
>   >   # Copyright (c) 1996  Poul-Henning Kamp
>   >   # All rights reserved.
> [..]
>   >   # $FreeBSD: src/etc/rc.firewall,v 1.60.2.3 2010/04/14 15:03:58 ume Exp $
>
> I had to do a 'diff -uw rc.firewall.1.60.2.3 rc.firewall.router.4' (and
> before that, vs your previous rc.firewall.router.1) to follow what was
> going on here; you've added some 'interesting' stuff (esp dummynet), but
> I think your main problem is the placement of the NAT rule, where you've
> merged it into what is otherwise based on the 'workstation' ruleset.
>
>    
...
I don't have much experience doing ipfw setups, but I've setup docens of 
boxes with ipfilter. I don't think this maybe a 'rule' problem.
I expect two hits, one IN and other OUT, per IP packet.  But maybe this 
is NOT the case.
I do things as I learned to do:
- lo0
- local lans (big traffic, more simple)
- outside (less traffic, complex)

My initial setup (rc.firewall.router.4) uses ppp -nat, without natd. and 
one_pass=1 (without I Know). It mostly works, and I learn that I must 
setup one_pass=0 to get the packet again on ipfw after dummynet.

As I can read, this must also matters to ppp -nat. So I expect that a 
packed passed IN from local lan, after translated, hit the firewall as 
XMIT on tun0. I near sure this is not the case. Can anyone probe this?

So I must put the dummynet catching incoming traffic from lan to be 
translated later by ppp. This setup is NOW WORKING, with the sharper 
being effective and without problems with ppp -nat

rc.firewall.router.1 it's another history, after the problems with ppp, 
using mpd5 and natd.
I can't test this well, and the way things go are really odd, but this 
is how I get things mostly working.

What I noted on this setup is that I must pass the traffic incoming from 
local lan LAST, or NATP is not fuction at all (I use to do LAN traffic 
very first by performance reasons).

I begin to think in a libalias problem (inside natd this time), but I'm 
also in doubt about the two IN/OUT hits. Maybe there's only one hit as 
IN/OUT, as from a bridge hook?

In any case, the gotos (skipto) are placed not only as logic, but also 
to get counts of packets and try to see what's going on.

I know that the natd rule in not at the very first (/etc/rc.firewall use 
to put it as rule 25, even before 100 lo0.) but also near sure that no 
traffic that can matters natd (via oif, ng0) is passed or denied before 
that.  This matters about being able to catch incoming lan Traffic 
before translated.

This maybe my first test when I got time again.  Replace natd at rule 25 
and do again LAN traffic at FIRST. Also thinking in doing an altq/pf test.

And I added SOME line to my ipfw Notes:
- put dummynet VERY FIRST, if possible on INCOMING, and be sure that 
sysctl net.inet.ip.fw.one_pass=0.
- FreeBSD don't expect by default any firewall processing after libalias.

But now, I'm very busy, really
-- 
   josemi

More information about the freebsd-net mailing list