Hi, i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via if_vlan) . My Server is HP DL380 G4. I am using the on board gigabit nic as wan interface which uses bge driver.
My rule set is below: wan_intf="bge1" ipfw nat 100 config ip X.X.X.1 reset same_ports ipfw nat 101 config ip X.X.X.2 reset same_ports ipfw nat 102 config ip X.X.X.3 reset same_ports ... ... ipfw add 5 allow all from any to any layer2 ipfw add 50 checkstate ... ... Other port forwarding and static nat rules without keep-state ... ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via $wan_intf ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via $wan_intf ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via $wan_intf ... ... ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf ... ... About 2 Minutes later after apply this rule set, system writes that bge1 watchdog timeout --- resetting and then system hangs, keyboard doesnt response. No logs can be observed. When i remove all skipto and checkstate rules, system work properly without problems. I suspect about stateful inpection code. some sysctl variables are below: net.inet.ip.fw.dyn_max=32768 net.inet.ip.fw.dyn_ack_lifetime=100 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 kern.maxfiles=32000 kern.ipc.somaxconn=1024 net.inet.ip.process_options=0 net.inet.ip.fastforwarding=1 net.link.ether.ipfw=1 thanks for your interests _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
