weird problem with 9.0 Release and ed0
Christoph P.U. Kukulies
kuku at kukulies.org
Sun Aug 12 10:41:07 UTC 2012
Am 11.08.2012 09:58, schrieb Ian Smith:
> In freebsd-questions Digest, Vol 427, Issue 6, Message: 16
> On Fri, 10 Aug 2012 12:39:36 +0200 "Christoph P.U. Kukulies" <kuku at kukulies.org> wrote:
> > Am 10.08.2012 11:40, schrieb Christoph P.U. Kukulies:
> > > Am 10.08.2012 11:28, schrieb Christoph P.U. Kukulies:
> > >> The problem need not to be confined to 9.0. It stated to develop
> > >> under 5.1 already.
> > > read: started to develop...
> > >>
> > >> I'm running a natd gateway machine that was developing strange
> > >> behaviour such that the
> > >> outside interface (ed0, BNC connector) that was connected via a small
> > >> media converter switch to
> > >> the providers sync line had dropouts. The machine couldn't ping into
> > >> the Internet and also couldn't be pinged.
> > >>
> > >> I first thought it was the switch/media converter, but another
> > >> (Windows XP) machine that was on the
> > >> same BNC cable worked flawlessly.
>
> That XP box was directly on the outside, not inside nat'd via this one?
Yes, on the same BNC cable/interface.
--+------------+--80.72.44.x----+---[SWITCH/BNCtoTP]-----INTERNET------
| | |
80.72.44.228 80.72.44.226 |
ed0 | ed0
FreeBSD 5.1 XP Box FreeBSD 9.0
xl0 em0
| |
--+-----172.27.x.x------------+----Intranet------------
>
>
> > >> So I decided to migrate that 5.1 machine to a 9.0 machine. The
> > >> situation now is that I have the9.0 machine
> > >> at the BNC cable and simultanously the old FreeBSD 5.1 gateway on the
> > >> same BNC cable but through a
> > >> TP adapter. This was the old machine works fine and I can care about
> > >> the new machine.
>
> Not quite clear .. can you sketch your network configuration?
Hope the ascii art doesn't get garbled.
>
> > >> Is there a known problem with ed0 cards that have the Realtek 8029
> > >> chipset. Do they need some
> > >> special flags like memory mapping or irq?
>
> Long time since I've run anything with 10base2/BNC, but it used to work
> ok, on an ed0.
>
> > >> When I for example boot the 9.0 machine the comping up of the em0 (on
> > >> mainboard interface results in a highlighted
> > >> kernel message on the console. The coming up of the ed0 is not
> > >> flagged this way. And as a result the
> > >> ed0 interface seems to be dead.
>
> Does the outside interface have a static address, or do you use DHCP
> via the provider's switch/hub/whatever? Show /etc/rc.conf setup. It
> smells a bit like the interface may not be up soon enough at that time;
> the ntpd message below could also indicate something like that re ipv6.
No DHCP in the game. Everything static.
>
> > >> Here some excerpts of dmesg:
> > >> em0: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0x4400-0x441f
> > >> mem 0x93100000-0x9311ffff,0x93124000-0x93124fff irq 20 at device 25.0
> > >> on pci0
> > >> em0: Using an MSI interrupt
> > >> em0: Ethernet address: 00:1c:c0:37:b2:9f
> > >>
> > >> ed0: <RealTek 8029> port 0x1000-0x101f irq 22 at device 1.0 on pci7
> > >> ed0: Ethernet address: 00:e0:7d:7c:2b:4a
> > >>
> > >> I also see this:
> > >> Jul 30 23:03:54 forum ntpd[1711]: unable to create socket on ed0 (20)
> > >> for fe80::
> > >> 2e0:7dff:fe7c:2b4a#123
>
> You should get more / better clues if you boot with verbose messages.
>
> > > Forgot to add this info:
> > >
> > > ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > > ether 00:e0:7d:7c:2b:4a
> > > inet 80.72.44.230 netmask 0xfffffff0 broadcast 80.72.44.239
> > > inet6 fe80::2e0:7dff:fe7c:2b4a%ed0 prefixlen 64 scopeid 0xa
> > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> > > media: Ethernet autoselect (10base2/BNC)
> > >
> >
> > Must add some more info:
> >
> > My kernel config:
> >
> > cpu I486_CPU
> > cpu I586_CPU
> > cpu I686_CPU
> > ident DIVERT
> >
> > makeoptions DEBUG=-g # Build kernel with gdb(1) debug
> > symbols
> > options IPFIREWALL
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_VERBOSE_LIMIT=10
> > options IPDIVERT
> > options IPFIREWALL_DEFAULT_TO_ACCEPT
> >
> > (the rest like in GENERIC).
>
> Just to mention: you don't actually need to include FIREWALL* or DIVERT
> in kernels these days; a GENERIC kernel will work fine, loading modules
> as needed. Only exception is if you needed FIREWALL_FORWARD, which it
> appears you don't.
Ah, that's good to know.
>
>
> > Strange thing:
> >
> > I cannot ping neither the outside interface address nor the inside
> > (172.27.2.115)
forum2# egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
### Basic network and firewall/security options: ###
ifconfig_em0=" inet 172.27.2.115 netmask 255.255.0.0"
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
ifconfig_ed0="inet 87.79.34.230 netmask 0xfffffff0 "
ntpd_enable="NO"
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_interface="ed0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
firewall_enable="YES" # Set to YES to enable firewall
functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the
firewall
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="YES" # Set to YES to enable events logging
gateway_enable="YES"
/etc/natd.conf isn't there.
but natd is running as /sbin/natd -n ed0
00100 332 117666 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 58395 6512836 allow ip from any to any via em0
00500 0 0 deny ip from 172.27.0.0/16 to any in via ed0
00600 0 0 deny ip from 80.72.44.0/28 to any in via em0
00700 0 0 deny tcp from any to 80.72.44.230 dst-port 3306
00800 0 0 deny tcp from any to 80.72.44.230 dst-port 515
00900 0 0 deny tcp from any to 80.72.44.230 dst-port 139
01000 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 139
01100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 137
01200 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 137
01300 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 138
01400 0 0 deny tcp from any to 172.27.2.115 dst-port 3306
01500 0 0 deny tcp from any to 172.27.2.115 dst-port 515
01600 0 0 deny tcp from any to 172.27.2.115 dst-port 139
01700 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 139
01800 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 137
01900 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 137
02000 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 138
02100 0 0 deny tcp from any to 80.72.44.230 dst-port 587
02200 0 0 deny tcp from any to 80.72.44.230 dst-port 6000
02300 0 0 deny tcp from any to 80.72.44.230 dst-port 6000
02400 0 0 deny ip from any to 10.0.0.0/8 via ed0
02500 0 0 deny ip from any to 172.16.0.0/12 via ed0
02600 0 0 deny ip from any to 192.168.0.0/16 via ed0
02700 0 0 deny ip from any to 0.0.0.0/8 via ed0
02800 0 0 deny ip from any to 169.254.0.0/16 via ed0
02900 0 0 deny ip from any to 192.0.2.0/24 via ed0
03000 6 306 deny ip from any to 224.0.0.0/4 via ed0
03100 0 0 deny ip from any to 240.0.0.0/4 via ed0
03200 5082 354910 divert 8668 ip from any to any via ed0
03300 0 0 allow tcp from any to any established
03400 0 0 allow ip from any to any frag
03500 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
25 setup
03600 3720 240576 allow udp from 80.72.44.230 to any dst-port 53
keep-state
03700 0 0 allow udp from 80.72.44.230 to any dst-port 123
keep-state
03800 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
80 setup
03900 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port
80 setup
04000 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port
80 setup
04100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
22 setup
04200 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port
22 setup
04300 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port
22 setup
04400 0 0 allow tcp from any to 172.27.2.115
04500 0 0 deny log logamount 5 tcp from any to any in via ed0
setup
04600 0 0 allow tcp from any to any setup
65535 1367 114702 allow ip from any to any
# netstat -finet -rn
forum2# netstat -finet -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 80.72.44.225 UGS 0 7440 ed0
80.72.44.224/28 link#10 U 0 2700 ed0
80.72.44.230 link#10 UHS 0 4 lo0
127.0.0.1 link#12 UH 0 160 lo0
172.27.0.0/16 link#1 U 0 722 em0
172.27.2.115 link#1 UHS 0 2 lo0
forum2#
This is the information so far.
Pinging the interfaces with their respective addresses works now.
What doesn't work is the pinging of the neighbour machine (XP)
80.72.44.226 which I can ping from the FreeBSD 5.1 neighbour machine.
I still can imagine that there is a hardware problem that leads tp
packet corruption
or something. I will exchange the media converter/switch next.
Thanks a lot.
--
Christoph
>
> >
> > --
> > Christoph Kukulies
>
> Please show output from:
>
> # egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
> # cat /etc/natd.conf
> # ipfw show
> # netstat -finet -rn
>
> cheers, Ian
>
More information about the freebsd-questions
mailing list