weird problem with 9.0 Release and ed0

Christoph P.U. Kukulies kuku at kukulies.org
Sun Aug 12 10:41:07 UTC 2012


Am 11.08.2012 09:58, schrieb Ian Smith:
> In freebsd-questions Digest, Vol 427, Issue 6, Message: 16
> On Fri, 10 Aug 2012 12:39:36 +0200 "Christoph P.U. Kukulies" <kuku at kukulies.org> wrote:
>   > Am 10.08.2012 11:40, schrieb Christoph P.U. Kukulies:
>   > > Am 10.08.2012 11:28, schrieb Christoph P.U. Kukulies:
>   > >> The problem need not to be confined to 9.0. It stated to develop
>   > >> under 5.1 already.
>   > > read: started to develop...
>   > >>
>   > >> I'm running a natd gateway machine that was developing strange
>   > >> behaviour such that the
>   > >> outside interface (ed0, BNC connector) that was connected via a small
>   > >> media converter switch to
>   > >> the providers sync line had dropouts. The machine couldn't ping into
>   > >> the Internet and also couldn't be pinged.
>   > >>
>   > >> I first thought it was the switch/media converter, but another
>   > >> (Windows XP) machine that was on the
>   > >> same BNC cable worked flawlessly.
>
> That XP box was directly on the outside, not inside nat'd via this one?

Yes, on the same BNC cable/interface.

--+------------+--80.72.44.x----+---[SWITCH/BNCtoTP]-----INTERNET------
   |            |              |
80.72.44.228 80.72.44.226     |
  ed0           |             ed0
FreeBSD 5.1   XP Box      FreeBSD 9.0
  xl0                         em0
   |                           |
--+-----172.27.x.x------------+----Intranet------------



>
>
>   > >> So I decided to migrate that 5.1 machine to a 9.0 machine. The
>   > >> situation now is that I have the9.0 machine
>   > >> at the BNC cable and simultanously the old FreeBSD 5.1 gateway on the
>   > >> same BNC cable but through a
>   > >> TP adapter. This was the old machine works fine and I can care about
>   > >> the new machine.
>
> Not quite clear .. can you sketch your network configuration?

Hope the ascii art doesn't get garbled.
>
>   > >> Is there a known problem with ed0 cards that have the Realtek 8029
>   > >> chipset. Do they need some
>   > >> special flags like memory mapping or irq?
>
> Long time since I've run anything with 10base2/BNC, but it used to work
> ok, on an ed0.
>
>   > >> When I for example boot the 9.0 machine the comping up of the em0 (on
>   > >> mainboard interface results in a highlighted
>   > >> kernel message on the console. The coming up of the ed0 is not
>   > >> flagged this way. And as a result the
>   > >> ed0 interface seems to be dead.
>
> Does the outside interface have a static address, or do you use DHCP
> via the provider's switch/hub/whatever?  Show /etc/rc.conf setup.  It
> smells a bit like the interface may not be up soon enough at that time;
> the ntpd message below could also indicate something like that re ipv6.

No DHCP in the game. Everything static.
>
>   > >> Here some excerpts of dmesg:
>   > >> em0: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0x4400-0x441f
>   > >> mem 0x93100000-0x9311ffff,0x93124000-0x93124fff irq 20 at device 25.0
>   > >> on pci0
>   > >> em0: Using an MSI interrupt
>   > >> em0: Ethernet address: 00:1c:c0:37:b2:9f
>   > >>
>   > >> ed0: <RealTek 8029> port 0x1000-0x101f irq 22 at device 1.0 on pci7
>   > >> ed0: Ethernet address: 00:e0:7d:7c:2b:4a
>   > >>
>   > >> I also see this:
>   > >> Jul 30 23:03:54 forum ntpd[1711]: unable to create socket on ed0 (20)
>   > >> for fe80::
>   > >> 2e0:7dff:fe7c:2b4a#123
>
> You should get more / better clues if you boot with verbose messages.
>
>   > > Forgot to add this info:
>   > >
>   > > ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>   > >         ether 00:e0:7d:7c:2b:4a
>   > >         inet 80.72.44.230 netmask 0xfffffff0 broadcast 80.72.44.239
>   > >         inet6 fe80::2e0:7dff:fe7c:2b4a%ed0 prefixlen 64 scopeid 0xa
>   > >         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>   > >         media: Ethernet autoselect (10base2/BNC)
>   > >
>   >
>   > Must add some more info:
>   >
>   > My kernel config:
>   >
>   > cpu             I486_CPU
>   > cpu             I586_CPU
>   > cpu             I686_CPU
>   > ident           DIVERT
>   >
>   > makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug
>   > symbols
>   > options IPFIREWALL
>   > options IPFIREWALL_VERBOSE
>   > options IPFIREWALL_VERBOSE_LIMIT=10
>   > options IPDIVERT
>   > options IPFIREWALL_DEFAULT_TO_ACCEPT
>   >
>   > (the rest like in GENERIC).
>
> Just to mention: you don't actually need to include FIREWALL* or DIVERT
> in kernels these days; a GENERIC kernel will work fine, loading modules
> as needed.  Only exception is if you needed FIREWALL_FORWARD, which it
> appears you don't.

Ah, that's good to know.

>
>
>   > Strange thing:
>   >
>   > I cannot ping neither the outside interface address nor the inside
>   > (172.27.2.115)



forum2# egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
### Basic network and firewall/security options: ###
ifconfig_em0=" inet 172.27.2.115 netmask 255.255.0.0"
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.
ifconfig_ed0="inet 87.79.34.230 netmask 0xfffffff0 "
ntpd_enable="NO"
natd_enable="YES"               # Enable natd (if firewall_enable == YES).
natd_program="/sbin/natd"       # path to natd, if you want a different one.
natd_interface="ed0"            # Public interface or IPaddress to use.
natd_flags=""                   # Additional flags for natd.
firewall_enable="YES"           # Set to YES to enable firewall 
functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the 
firewall
firewall_type="simple"          # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="YES"          # Set to YES to enable events logging
gateway_enable="YES"

/etc/natd.conf isn't there.
but natd is running as /sbin/natd -n ed0

00100   332  117666 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
00300     0       0 deny ip from 127.0.0.0/8 to any
00400 58395 6512836 allow ip from any to any via em0
00500     0       0 deny ip from 172.27.0.0/16 to any in via ed0
00600     0       0 deny ip from 80.72.44.0/28 to any in via em0
00700     0       0 deny tcp from any to 80.72.44.230 dst-port 3306
00800     0       0 deny tcp from any to 80.72.44.230 dst-port 515
00900     0       0 deny tcp from any to 80.72.44.230 dst-port 139
01000     0       0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 139
01100     0       0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 137
01200     0       0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 137
01300     0       0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 138
01400     0       0 deny tcp from any to 172.27.2.115 dst-port 3306
01500     0       0 deny tcp from any to 172.27.2.115 dst-port 515
01600     0       0 deny tcp from any to 172.27.2.115 dst-port 139
01700     0       0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 139
01800     0       0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 137
01900     0       0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 137
02000     0       0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 138
02100     0       0 deny tcp from any to 80.72.44.230 dst-port 587
02200     0       0 deny tcp from any to 80.72.44.230 dst-port 6000
02300     0       0 deny tcp from any to 80.72.44.230 dst-port 6000
02400     0       0 deny ip from any to 10.0.0.0/8 via ed0
02500     0       0 deny ip from any to 172.16.0.0/12 via ed0
02600     0       0 deny ip from any to 192.168.0.0/16 via ed0
02700     0       0 deny ip from any to 0.0.0.0/8 via ed0
02800     0       0 deny ip from any to 169.254.0.0/16 via ed0
02900     0       0 deny ip from any to 192.0.2.0/24 via ed0
03000     6     306 deny ip from any to 224.0.0.0/4 via ed0
03100     0       0 deny ip from any to 240.0.0.0/4 via ed0
03200  5082  354910 divert 8668 ip from any to any via ed0
03300     0       0 allow tcp from any to any established
03400     0       0 allow ip from any to any frag
03500     0       0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 
25 setup
03600  3720  240576 allow udp from 80.72.44.230 to any dst-port 53 
keep-state
03700     0       0 allow udp from 80.72.44.230 to any dst-port 123 
keep-state
03800     0       0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 
80 setup
03900     0       0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port 
80 setup
04000     0       0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port 
80 setup
04100     0       0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 
22 setup
04200     0       0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port 
22 setup
04300     0       0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port 
22 setup
04400     0       0 allow tcp from any to 172.27.2.115
04500     0       0 deny log logamount 5 tcp from any to any in via ed0 
setup
04600     0       0 allow tcp from any to any setup
65535  1367  114702 allow ip from any to any


# netstat -finet -rn
forum2# netstat -finet -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            80.72.44.225       UGS         0     7440    ed0
80.72.44.224/28    link#10            U           0     2700    ed0
80.72.44.230       link#10            UHS         0        4    lo0
127.0.0.1          link#12            UH          0      160    lo0
172.27.0.0/16      link#1             U           0      722    em0
172.27.2.115       link#1             UHS         0        2    lo0
forum2#

This is the information so far.

Pinging the interfaces with their respective addresses works now.
What doesn't work is the pinging of the neighbour machine (XP)
80.72.44.226 which I can ping from the FreeBSD 5.1 neighbour machine.

I still can imagine that there is a hardware problem that leads tp 
packet corruption
or something. I will exchange the media converter/switch next.

Thanks a lot.
--
Christoph

>
>   >
>   > --
>   > Christoph Kukulies
>
> Please show output from:
>
> # egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
> # cat /etc/natd.conf
> # ipfw show
> # netstat -finet -rn
>
> cheers, Ian
>


More information about the freebsd-questions mailing list