Changes To nat-ing Behaviour?

Tim Daneliuk tundra at tundraware.com
Sat Apr 18 20:44:35 UTC 2020 

On 4/18/20 12:51 PM, Michael Sierchio wrote:
> Showing your ruleset would allow us to comment meaningfully.

Not sure exactly which ruleset but ... Here are the kernel opts:

options     IPFIREWALL
options     IPDIVERT


Here is the natd.conf:

use_sockets
port natd
same_ports
unregistered_only


This is the ruleset in the firewall up to the point NAT gets enabled.
re0 is outward facing, em0 is internal LAN:

0001    4     715 allow icmp from any to any icmptypes 0,3,4,8,11,12
00100   24    1958 allow ip from any to any via lo0
00200    0       0 deny ip from any to 127.0.0.0/8
00300    0       0 deny ip from 127.0.0.0/8 to any
00400    0       0 deny ip from 192.168.0.0/24 to any in via re0
00500    0       0 deny ip from 75.145.138.73 to any in via em0
00600    0       0 deny ip from any to 10.0.0.0/8 via re0
00700    0       0 deny ip from any to 172.16.0.0/12 via re0
00800    0       0 deny ip from any to 192.168.0.0/16 via re0
00900    0       0 deny ip from any to 0.0.0.0/8 via re0
01000    0       0 deny ip from any to 169.254.0.0/16 via re0
01100    0       0 deny ip from any to 192.0.2.0/24 via re0
01200    1      32 deny ip from any to 224.0.0.0/4 via re0
01300    0       0 deny ip from any to 240.0.0.0/4 via re0
01400 1011   97774 divert 8668 ip from any to any via re0

As I said, these rules have not changed for an eternity so not sure
what is going on here.


> 
> On Sat, Apr 18, 2020 at 10:19 AM Tim Daneliuk <tundra at tundraware.com> wrote:
> 
>> I recently upgraded a FBSD 11.3 machine to -STABLE as of a few weeks ago.
>>
>> This machine acts as a firewall and nats between the outside world
>> and an internal nonroutable network.
>>
>> Configuration is stable and has not changed in years.
>>
>> Today I noted that speeds on the LAN side are about half of what is
>> available
>> going out to the internet.
>>
>> I eliminated cables, interfaces, and switches and confirmed that - even if
>> I plug a machine directly into the FBSD nat box, I get half the speed that
>> box gets out to the net.
>>
>> I'm at a loss since I've changed nothing in the config.
>>
>> Ideas would be most appreciated.
>>
>> TIA,
>> --
>>
>> ----------------------------------------------------------------------------
>> Tim Daneliuk     tundra at tundraware.com
>> PGP Key:         http://www.tundraware.com/PGP/
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
> 
> 


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the freebsd-questions mailing list