Re: something is wrong after 9.2 to 10.0
On Feb 14, 2014, at 8:34 PM, SAITOU Toshihide to...@ruby.ocn.ne.jp wrote: I'm using FreeBSD as desktop and also using as nat gateway. After update from 9.2 to 10.0, some network problem occurs on this desktop machine's environment. - Sometimes email transmission failed with `stat=Deferred: 452', maybe when the size is large. - Firefox failed to post a form of web page on https. - Cadaver is no longer able to put file. But if I delete the following rule, the problem don't occur. 00050 352686 304039811 nat 123 ip4 from any to any via alc0 And the related rc.conf entry is here: firewall_enable=YES firewall_type=open firewall_quiet=NO firewall_logging=YES firewall_nat_enable=YES firewall_nat_interface=alc0 Is there any clue? I saw a similar problem when using NAT on a TSO-enabled interface in FreeBSD 10. Try running ifconfig alc0 -tso and/or adding -tso to the ifconfig_alc0 entry in your /etc/rc.conf. See also the related entry in the BUGS section at the end of ipfw(8) man page. JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW fwd not working after upgrade from 9.2 to 10.0
On Feb 6, 2014, at 3:50 AM, Andrey V. Elsukov a...@freebsd.org wrote: On 06.02.2014 12:31, Andrey V. Elsukov wrote: On 06.02.2014 04:08, John Nielsen wrote: I have been using IPFW FWD to do per-interface routing on a VM instance. The default gateway is on interface vtnet0, but there is a second interface, vtnet1, on a different network with its own public IP address. The second network has its own gateway, which I'd like to use for responses to connections coming on on vtnet1. Under 9.2, the below worked fine: Hi, you can apply this patch: http://svnweb.freebsd.org/base?view=revisionrevision=260702 JFYI, I merged the fix from head/. You can update your system to 10-STABLE and it should work. Thank you Andrey and Ronald. I should have looked at both the errata and the commit logs sooner. I'll patch my kernel. JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW fwd not working after upgrade from 9.2 to 10.0
On Feb 5, 2014, at 5:54 PM, Michael Sierchio ku...@tenebras.com wrote: compile a kernel with more than the default 2 FIB tables (16 for example), and setfib 0 route add default $GATEWAY_A setfib 1 route add default $GATEWAY_B setfib 2 route add default $GATEWAY_C [ ... ] ipfw table 1 add $NET_LAN 0 ipfw table 1 add $NET_VOIP 2 ipfw table 1 add $NET_VPN 0 ipfw table 1 add $NET_WIFI 0 ipfw table 1 add $NET_GUEST 1 ipfw table 1 add $NET_SECURITY 0 ipfw table 1 add $NET_COMMON1 ipfw table 1 add $NET_FINANCE 1 ipfw table 1 add $NET_CORE 2 ipfw table 1 add $NET_EVENT 0 [ ... ] ipfw add 00500 setfib tablearg ip from table\(1\) to any in lookup src-ip 1 Thanks for the suggestion, but unless something has changed recently using setfib with ipfw is only effective for routed traffic, not packets that originate locally (the routing decision has already been made by the time the outgoing packet goes through ipfw). Running specific processes with an alternate FIB could be a partial workaround but it's a lot less elegant. Really I'd like to know what's going on in 10.0 that keeps the ipfw fwd solution from working like it did in 9.2. JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: Transparent Squid and traffic control
On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote: I have problem in running transparent squid along with dummynet on FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet traffic control. Now i want to setup transparent squid using ipfw fwd rule. if i place fwd rule before dummynet rule transparent squid start working but than traffic is not being controlled. Than i placed fwd rule after the dummynet pipe here traffic controlled but transparent squid stop working.Any body have experience in such configuration where both work simultaneously please gave me some hints. I have done this successfully in the past. You need to remember that for every web request there are potentially two TCP conversations: one between the client and the proxy and one between the proxy and the server. You probably do not want to pipe the first type of conversation--requests that can be served from the proxy's cache do not use WAN bandwidth and should be served at full speed over the LAN. You DO want to pipe the second type of conversation. Requests from the proxy to web servers over the WAN will compete with other traffic for bandwidth. So leave your fwd rule before the dummynet rule(s) and be sure that LAN traffic is not piped. Then add rules to pipe requests from the proxy's external IP to non-LAN addresses on port 80. Something like these: Downstream: ipfw add skipto $ACCEPT tcp from $LAN 80 to me ipfw add pipe $M tcp from any 80 to $EXTIP Upstream: ipfw add skipto $ACCEPT tcp from me to $LAN 80 ipfw add pipe $N tcp from $EXTIP to any 80 If you post a specific ruleset you can get specific advice. :) JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: pls help on 3 interfaces
On Wednesday 18 March 2009 10:36:15 pm Lin Zhao wrote: hi all, wish my english is enough :-) my freebsd has 3 interfaces, like this, switch1 | -- fxp0| | || |- internal ||freebsd71 | |rl0 | |- | -- fxp1| switch2 we're in the internal and want to visit outside we use fxp0 for default outside address and it works well but for some reason, i want to use fxp1 for some special outside address how can i do for it? thanks a lot. Is the FreeBSD box performing network address translation (NAT)? I'm going to assume that it is and everything is being aliased through fxp0. I'm also assuming you're using ipfw since you wrote to the ipfw list. If the IP addresses which you'd like to reach via fxp1 are static, you should be able to do something like the following: Configure static routes on the FreeBSD machine for the the special outside addresses using the gateway of fxp1's network as the router. Configure an additional NAT rule (if still using natd now might be a good time to switch to in-kernel ipfw NAT..) to alias through fxp1. Configure ipfw to direct traffic to/from the special outside addresses to the new NAT instance instead of the default. I actually used a similar setup recently. If you care to confirm my assumptions above I can give you a more step-by-step guide. JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: IPFW and NATD problem
On Tuesday 08 May 2007 11:40:58 am Gardner Bell wrote: Hi all, I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x --LANSwitch-FreeBSD---ISP Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. Any help resolving this is greatly appreciated. Do you have gateway_enable=yes in your /etc/rc.conf? (check the value of the net.inet.ip.forwarding sysctl). What DNS server is your LAN machine trying to use? Can you ping it (or anything else) by IP? JN ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]