IPFW About IPFW NAT...

B

bleakwind

I'm running vm-bhyve on freebsd11.1. one IP on igb0.

# ifconfig
Code: 
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
        ether 6c:ae:8b:60:07:ca
        hwaddr 6c:ae:8b:60:07:ca
        inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vm-public
        ether 02:62:3b:2e:55:00
        inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 8 priority 128 path cost 2000000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vmnet-windows2008-0-public
        options=80000<LINKSTATE>
        ether 00:bd:f7:4b:f8:00
        hwaddr 00:bd:f7:4b:f8:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        groups: tap
        Opened by PID 1344

# vi /etc/rc.conf
Code: 
ifconfig_igb0="inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="igb0"

vm_enable="YES"
vm_dir="zfs:zroot/vm"
vm_list=""
vm_delay="10"
# vi /etc/sysctl.conf
Code: 
net.link.tap.up_on_open=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1
# vi /home/ipfw/ipfw.rules
Code: 
ipfw nat 10 config ip 192.168.1.201
ipfw add 151 nat 10 ip from 192.168.8.1/24 to any out via igb0
ipfw add 152 nat 10 ip from any to any in via igb0
ipfw add 800 allow ip from any to any
Host: 192.168.1.201
Bridge0: 192.168.8.1
Client: 192.168.8.202
And the client can't access outside network. and the redirect_port also did not work.

How can I fix this? Thanks for help!
 
Last edited:
Does your kernel have the IPDIVERT option? I think you also need:

/etc/rc.conf
Code: 
natd_enable="YES"
natd_interface="igb0"
natd_flags="-dynamic -m" # -m preserves port numbers
 
ComradeSlice said:
Does your kernel have the IPDIVERT option? I think you also need:

/etc/rc.conf
Code: 
natd_enable="YES"
natd_interface="igb0"
natd_flags="-dynamic -m" # -m preserves port numbers
Click to expand...

Thanks for your reply.
I use firewall_nat for nat, It does not need natd.
I know pf is much simpler than ipfw, but I use ipfw before, and don't want change to pf, I just want ipfw and kernel nat ipfw_nat do this.
I think the ipfw_nat rule something not right.

anyway, thanks for help.
 
Last edited:
I believe you still need certain kernel options if you want to stick with ipfw nat. Do you have IPDIVERT in your kernel or ipdivert_load="YES" in your loader.conf? Do you have IPFIREWALL_NAT in your kernel?

These are all the kernel options associated with ipfw. I just did a LINT to check them:

options MROUTING
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_NAT
options IPFIREWALL_NAT64
options IPFIREWALL_NPTV6
options IPDIVERT

Which of these do you have in your kernel?
 
ComradeSlice said:
I believe you still need certain kernel options if you want to stick with ipfw nat. Do you have IPDIVERT in your kernel or ipdivert_load="YES" in your loader.conf? Do you have IPFIREWALL_NAT in your kernel?

These are all the kernel options associated with ipfw. I just did a LINT to check them:

options MROUTING
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_NAT
options IPFIREWALL_NAT64
options IPFIREWALL_NPTV6
options IPDIVERT

Which of these do you have in your kernel?
Click to expand...

As I know, if use ipfw and ipfw_nat, don't need ipdivert and natd.Only need one of them.

Also you don't need put ipdivert in kernel, just load them, link this:

Code: 
# vi /etc/rc.conf 
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
                                                     
firewall_nat_enable="YES"                            
firewall_nat_interface="alc0"

# vi /boot/loader.conf
libalias_load="YES"

But I can't use ipfw_nat well, and there is no info to find.
 
I am trying to help you. I know there is barely any documentation on this feature.

Do you have "options IPFIREWALL_NAT" in your kernel? This is not for natd. This is for ipfw's nat. I had to dig through the source tree to verify this.

There is a file in the tree called "netpfil/ipfw/ip_fw_nat.c". It is optional. It only gets compiled if you have this option. This file provides the ipfw_nat module. I'm willing to bet this is why it does not work for you.
 
I know you help me, and thanks again!

if you put this in /etc/rc.conf
Code: 
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/pub/admin/ipfw/ipfw.rules"

gateway_enable="YES"

firewall_nat_enable="YES"
firewall_nat_interface="alc0"

ipfw and ipfw_nat will open. you can kldstat see it:
Code: 
# kldstat
Id Refs Address            Size     Name
 1   27 0xffffffff80200000 1f67a88  kernel
 2    1 0xffffffff82169000 316708   zfs.ko
 3    2 0xffffffff82480000 cb78     opensolaris.ko
 4    1 0xffffffff8248d000 aac8     if_tap.ko
 5    1 0xffffffff82498000 11ea0    if_bridge.ko
 6    2 0xffffffff824aa000 9148     bridgestp.ko
 7    2 0xffffffff824b4000 17288    libalias.ko
 8    1 0xffffffff824cc000 35b060   vmm.ko
 9    1 0xffffffff82828000 5058     nmdm.ko
10    2 0xffffffff82f11000 23528    ipfw.ko
11    1 0xffffffff82f35000 5c2f     ipfw_nat.ko
 
I didn't know they had a kernel module for that. I had assumed it had to be built in. There is so little documentation on this it's annoying. Want to try tcpdump? Take a capture of you trying to use the NAT and pipe it to a file. Search for the packets that are being sent/dropped/lost and post a few. If you're connecting via SSH (because it'll generate tons of packets) or want to negate some specific traffic here's the general syntax:

Code: 
sudo tcpdump -i igb0 "src port not ssh && dst port not ssh"
 
On top I change the posts, now I set the network like pf way.

Host: 192.168.1.201
Bridge0: 192.168.8.1
Client: 192.168.8.202

Code: 
# vi /etc/rc.conf
ifconfig_igb0="inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="igb0"

vm_enable="YES"
vm_dir="zfs:zroot/vm"
vm_list=""
vm_delay="10"

# vi /etc/sysctl.conf
net.link.tap.up_on_open=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1

# vi /home/ipfw/ipfw.rules
ipfw nat 10 config ip 192.168.1.201
ipfw add 151 nat 10 ip from 192.168.8.1/24 to any out via igb0
ipfw add 152 nat 10 ip from any to any in via igb0
ipfw add 800 allow ip from any to any

# ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
        ether 6c:ae:8b:60:07:ca
        hwaddr 6c:ae:8b:60:07:ca
        inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vm-public
        ether 02:62:3b:2e:55:00
        inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 8 priority 128 path cost 2000000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vmnet-windows2008-0-public
        options=80000<LINKSTATE>
        ether 00:bd:f7:4b:f8:00
        hwaddr 00:bd:f7:4b:f8:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        groups: tap
        Opened by PID 1344

And on client can ping 192.168.8.1.
But still can't ping outside network like 8.8.8.8.
 
I would try tcpdump. They say you can fix any firewall problems with some time spent in tcpdump :)

You could also try filtering on ping:

Code: 
tcpdump -i igb0 "proto \icmp"

(icmp is a keyword so it needs to be escaped)

Run that and try pinging an outside IP in another session. Post what the results are.
 
ComradeSlice said:
I would try tcpdump. They say you can fix any firewall problems with some time spent in tcpdump :)

You could also try filtering on ping:

Code: 
tcpdump -i igb0 "proto \icmp"

(icmp is a keyword so it needs to be escaped)

Run that and try pinging an outside IP in another session. Post what the results are.
Click to expand...

Thank you very much. but this afternoon I just spend 3 hour move ipfw to pf, include all my firewall rules, and it's work very well. :)
But sometime if I have time, I still will try ipfw_nat, and test it until ipfw_nat can work!

And anyone have any idea, reply this topic, I would be very grateful.
 
You must log in or register to reply here.
Back
Top