Changes To nat-ing Behaviour?
Tim Daneliuk
tundra at tundraware.com
Sat Apr 18 20:44:35 UTC 2020
On 4/18/20 12:51 PM, Michael Sierchio wrote:
> Showing your ruleset would allow us to comment meaningfully.
Not sure exactly which ruleset but ... Here are the kernel opts:
options IPFIREWALL
options IPDIVERT
Here is the natd.conf:
use_sockets
port natd
same_ports
unregistered_only
This is the ruleset in the firewall up to the point NAT gets enabled.
re0 is outward facing, em0 is internal LAN:
0001 4 715 allow icmp from any to any icmptypes 0,3,4,8,11,12
00100 24 1958 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from 192.168.0.0/24 to any in via re0
00500 0 0 deny ip from 75.145.138.73 to any in via em0
00600 0 0 deny ip from any to 10.0.0.0/8 via re0
00700 0 0 deny ip from any to 172.16.0.0/12 via re0
00800 0 0 deny ip from any to 192.168.0.0/16 via re0
00900 0 0 deny ip from any to 0.0.0.0/8 via re0
01000 0 0 deny ip from any to 169.254.0.0/16 via re0
01100 0 0 deny ip from any to 192.0.2.0/24 via re0
01200 1 32 deny ip from any to 224.0.0.0/4 via re0
01300 0 0 deny ip from any to 240.0.0.0/4 via re0
01400 1011 97774 divert 8668 ip from any to any via re0
As I said, these rules have not changed for an eternity so not sure
what is going on here.
>
> On Sat, Apr 18, 2020 at 10:19 AM Tim Daneliuk <tundra at tundraware.com> wrote:
>
>> I recently upgraded a FBSD 11.3 machine to -STABLE as of a few weeks ago.
>>
>> This machine acts as a firewall and nats between the outside world
>> and an internal nonroutable network.
>>
>> Configuration is stable and has not changed in years.
>>
>> Today I noted that speeds on the LAN side are about half of what is
>> available
>> going out to the internet.
>>
>> I eliminated cables, interfaces, and switches and confirmed that - even if
>> I plug a machine directly into the FBSD nat box, I get half the speed that
>> box gets out to the net.
>>
>> I'm at a loss since I've changed nothing in the config.
>>
>> Ideas would be most appreciated.
>>
>> TIA,
>> --
>>
>> ----------------------------------------------------------------------------
>> Tim Daneliuk tundra at tundraware.com
>> PGP Key: http://www.tundraware.com/PGP/
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-questions
mailing list