System Freeze w/ IPNAT

Ted Wisniewski ted at ness.plymouth.edu
Mon Nov 19 12:13:06 PST 2007 

We have a box doing routing and NAT using IPNAT that freezes up after a couple 
days.   We have swapped out the Box with a different model and continue to 
see the same problem.   Symptoms are that the machine no longer passes 
traffic and the console is unresponsive to any keyboard input (not even 
ctrl-alt-del).    What we are doing is just Nat'ing a portion of the network 
traffic (we want to pass certain areas of the network address space 
un-modified).    We are pretty certain that our problem has something to do 
with ipnat becasue we are using other BSD boxes as routers without issue.

We have seen a couple:

	bge1: watchdog timeout -- resetting
	bge1: link state changed to DOWN
	bge1: link state changed to UP

in the log file that were not present on the first machine because it had a 
different set of network cards...   I mention it only for completeness.

Any help that someone can provide would be appreciated.  Additional pertinent 
info is provided below.

Thanks

Ted

Relevant Kernel Options:

options        IPFILTER                	#ipfilter support
options        IPFILTER_LOG            	#ipfilter logging
options        IPFILTER_LOOKUP        #ipfilter pools

Relevant rc.conf settings:

#
# ROUTING 
#
router_enable="YES"
router_flags="-s"
gateway_enable="YES"
#
# Network firewall / NAT (IPF)
#
gateway_enable="YES"  
ipfilter_enable="YES"
ipfilter_flags="-T ipf_nattable_max=500000 -E"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipmon_enable="YES"
ipmon_flags="-Ds -N /dev/ipnat -f /dev/ipl -S /dev/ipstate"


Example rule from /etc/ipnat.rules (we have a number of these based on areas 
of our network)...  Each subnet is associated with a different ip on the 
outgoing side of the NAT.

#
map bge0 192.168.100.0/23 -> 192.168.4.64/32 proxy port ftp ftp/tcp
map bge0 192.168.100.0/23 -> 192.168.4.64/32 icmpidmap icmp 60000:65535
map bge0 192.168.100.0/23 -> 192.168.4.64/32 portmap tcp/udp 42000:65535 
#



Background info:

	FreeBSD 6.2 pl-8
	Using Dell Poweredge 860 
		1 Gig RAM
		Dual - Broadcom BCM5750 B1, ASIC rev. 0x4101
		Latest Firmware

First Interface (bge0):
	with 11 IP's (1 for host with 10 aliases for NAT) operating at  media: 
Ethernet autoselect (1000baseTX <full-duplex>)  

Second interface (bge1):
	with one IP operating at  media: Ethernet autoselect (1000baseTX 
<full-duplex>)

More information about the freebsd-questions mailing list