Hi, Well, I'm not sure that it's the kind of message you'd expect on this mailing list, but I couldn't really find a users mailing list, so here I am.
In short, we (= http://maiznet.fr/) use ipfw for our network, mainly because of dummynet's capabilities, that clearly outperforms any other solution for our needs. The network in question is inside a dormitory, to provide Internet to somewhat 150 people. We have : - 3 WAN (2 ADSL and 1 SDSL). I know, it is quite insufficient, but we can't get more. [re1, re2, re3] - 1 students network [re0] - 1 DMZ [re4] - 1 office network [re5] Both are on different subnets, and NAT is used a bit everywhere, along with load-balancing. Here is a recent ipfw show : http://pastebin.com/ma3h9FUU Now everything works fine, excepted that sometimes, for no reason, it looks like there is a rule that just stops working : sometimes the DNS gets blocked, or some users complain about not having internet at all (including internal routing not working for them)... Take yesterday's example : packets that were routed through ADSL2 were NATed correctly outgoing, were correctly reverse-NATed incoming, but were not routed to the client. If I added a custom "allow" just after the NAT, it went working again (but the allow should be automatic due to state checking). The only solution we have so far : we just reload the rules, and everything gets back to normal. Which is a bit unpleasant I must say... So, I've fallen short of ideas, does anyone see why some rules just block like that ? Maybe we should move to the in-kernel NAT ? Help is much appreciated, -- Rémy Sanchez http://hyperthese.net/
signature.asc
Description: This is a digitally signed message part.
