Am 11.08.2012 09:58, schrieb Ian Smith:
In freebsd-questions Digest, Vol 427, Issue 6, Message: 16
On Fri, 10 Aug 2012 12:39:36 +0200 "Christoph P.U. Kukulies"
<k...@kukulies.org> wrote:
> Am 10.08.2012 11:40, schrieb Christoph P.U. Kukulies:
> > Am 10.08.2012 11:28, schrieb Christoph P.U. Kukulies:
> >> The problem need not to be confined to 9.0. It stated to develop
> >> under 5.1 already.
> > read: started to develop...
> >>
> >> I'm running a natd gateway machine that was developing strange
> >> behaviour such that the
> >> outside interface (ed0, BNC connector) that was connected via a small
> >> media converter switch to
> >> the providers sync line had dropouts. The machine couldn't ping into
> >> the Internet and also couldn't be pinged.
> >>
> >> I first thought it was the switch/media converter, but another
> >> (Windows XP) machine that was on the
> >> same BNC cable worked flawlessly.
That XP box was directly on the outside, not inside nat'd via this one?
Yes, on the same BNC cable/interface.
--+------------+--80.72.44.x----+---[SWITCH/BNCtoTP]-----INTERNET------
| | |
80.72.44.228 80.72.44.226 |
ed0 | ed0
FreeBSD 5.1 XP Box FreeBSD 9.0
xl0 em0
| |
--+-----172.27.x.x------------+----Intranet------------
> >> So I decided to migrate that 5.1 machine to a 9.0 machine. The
> >> situation now is that I have the9.0 machine
> >> at the BNC cable and simultanously the old FreeBSD 5.1 gateway on the
> >> same BNC cable but through a
> >> TP adapter. This was the old machine works fine and I can care about
> >> the new machine.
Not quite clear .. can you sketch your network configuration?
Hope the ascii art doesn't get garbled.
> >> Is there a known problem with ed0 cards that have the Realtek 8029
> >> chipset. Do they need some
> >> special flags like memory mapping or irq?
Long time since I've run anything with 10base2/BNC, but it used to work
ok, on an ed0.
> >> When I for example boot the 9.0 machine the comping up of the em0 (on
> >> mainboard interface results in a highlighted
> >> kernel message on the console. The coming up of the ed0 is not
> >> flagged this way. And as a result the
> >> ed0 interface seems to be dead.
Does the outside interface have a static address, or do you use DHCP
via the provider's switch/hub/whatever? Show /etc/rc.conf setup. It
smells a bit like the interface may not be up soon enough at that time;
the ntpd message below could also indicate something like that re ipv6.
No DHCP in the game. Everything static.
> >> Here some excerpts of dmesg:
> >> em0: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0x4400-0x441f
> >> mem 0x93100000-0x9311ffff,0x93124000-0x93124fff irq 20 at device 25.0
> >> on pci0
> >> em0: Using an MSI interrupt
> >> em0: Ethernet address: 00:1c:c0:37:b2:9f
> >>
> >> ed0: <RealTek 8029> port 0x1000-0x101f irq 22 at device 1.0 on pci7
> >> ed0: Ethernet address: 00:e0:7d:7c:2b:4a
> >>
> >> I also see this:
> >> Jul 30 23:03:54 forum ntpd[1711]: unable to create socket on ed0 (20)
> >> for fe80::
> >> 2e0:7dff:fe7c:2b4a#123
You should get more / better clues if you boot with verbose messages.
> > Forgot to add this info:
> >
> > ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > ether 00:e0:7d:7c:2b:4a
> > inet 80.72.44.230 netmask 0xfffffff0 broadcast 80.72.44.239
> > inet6 fe80::2e0:7dff:fe7c:2b4a%ed0 prefixlen 64 scopeid 0xa
> > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> > media: Ethernet autoselect (10base2/BNC)
> >
>
> Must add some more info:
>
> My kernel config:
>
> cpu I486_CPU
> cpu I586_CPU
> cpu I686_CPU
> ident DIVERT
>
> makeoptions DEBUG=-g # Build kernel with gdb(1) debug
> symbols
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=10
> options IPDIVERT
> options IPFIREWALL_DEFAULT_TO_ACCEPT
>
> (the rest like in GENERIC).
Just to mention: you don't actually need to include FIREWALL* or DIVERT
in kernels these days; a GENERIC kernel will work fine, loading modules
as needed. Only exception is if you needed FIREWALL_FORWARD, which it
appears you don't.
Ah, that's good to know.
> Strange thing:
>
> I cannot ping neither the outside interface address nor the inside
> (172.27.2.115)
forum2# egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
### Basic network and firewall/security options: ###
ifconfig_em0=" inet 172.27.2.115 netmask 255.255.0.0"
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
ifconfig_ed0="inet 87.79.34.230 netmask 0xfffffff0 "
ntpd_enable="NO"
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_interface="ed0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
firewall_enable="YES" # Set to YES to enable firewall
functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the
firewall
firewall_type="simple" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="YES" # Set to YES to enable events logging
gateway_enable="YES"
/etc/natd.conf isn't there.
but natd is running as /sbin/natd -n ed0
00100 332 117666 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 58395 6512836 allow ip from any to any via em0
00500 0 0 deny ip from 172.27.0.0/16 to any in via ed0
00600 0 0 deny ip from 80.72.44.0/28 to any in via em0
00700 0 0 deny tcp from any to 80.72.44.230 dst-port 3306
00800 0 0 deny tcp from any to 80.72.44.230 dst-port 515
00900 0 0 deny tcp from any to 80.72.44.230 dst-port 139
01000 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 139
01100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port 137
01200 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 137
01300 0 0 allow udp from 80.72.44.227 to 80.72.44.230 dst-port 138
01400 0 0 deny tcp from any to 172.27.2.115 dst-port 3306
01500 0 0 deny tcp from any to 172.27.2.115 dst-port 515
01600 0 0 deny tcp from any to 172.27.2.115 dst-port 139
01700 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 139
01800 0 0 allow tcp from 80.72.44.227 to 172.27.2.115 dst-port 137
01900 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 137
02000 0 0 allow udp from 80.72.44.227 to 172.27.2.115 dst-port 138
02100 0 0 deny tcp from any to 80.72.44.230 dst-port 587
02200 0 0 deny tcp from any to 80.72.44.230 dst-port 6000
02300 0 0 deny tcp from any to 80.72.44.230 dst-port 6000
02400 0 0 deny ip from any to 10.0.0.0/8 via ed0
02500 0 0 deny ip from any to 172.16.0.0/12 via ed0
02600 0 0 deny ip from any to 192.168.0.0/16 via ed0
02700 0 0 deny ip from any to 0.0.0.0/8 via ed0
02800 0 0 deny ip from any to 169.254.0.0/16 via ed0
02900 0 0 deny ip from any to 192.0.2.0/24 via ed0
03000 6 306 deny ip from any to 224.0.0.0/4 via ed0
03100 0 0 deny ip from any to 240.0.0.0/4 via ed0
03200 5082 354910 divert 8668 ip from any to any via ed0
03300 0 0 allow tcp from any to any established
03400 0 0 allow ip from any to any frag
03500 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
25 setup
03600 3720 240576 allow udp from 80.72.44.230 to any dst-port 53
keep-state
03700 0 0 allow udp from 80.72.44.230 to any dst-port 123
keep-state
03800 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
80 setup
03900 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port
80 setup
04000 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port
80 setup
04100 0 0 allow tcp from 80.72.44.227 to 80.72.44.230 dst-port
22 setup
04200 0 0 allow tcp from 199.99.9.163 to 80.72.44.230 dst-port
22 setup
04300 0 0 allow tcp from 199.99.9.247 to 80.72.44.230 dst-port
22 setup
04400 0 0 allow tcp from any to 172.27.2.115
04500 0 0 deny log logamount 5 tcp from any to any in via ed0
setup
04600 0 0 allow tcp from any to any setup
65535 1367 114702 allow ip from any to any
# netstat -finet -rn
forum2# netstat -finet -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 80.72.44.225 UGS 0 7440 ed0
80.72.44.224/28 link#10 U 0 2700 ed0
80.72.44.230 link#10 UHS 0 4 lo0
127.0.0.1 link#12 UH 0 160 lo0
172.27.0.0/16 link#1 U 0 722 em0
172.27.2.115 link#1 UHS 0 2 lo0
forum2#
This is the information so far.
Pinging the interfaces with their respective addresses works now.
What doesn't work is the pinging of the neighbour machine (XP)
80.72.44.226 which I can ping from the FreeBSD 5.1 neighbour machine.
I still can imagine that there is a hardware problem that leads tp
packet corruption
or something. I will exchange the media converter/switch next.
Thanks a lot.
--
Christoph
>
> --
> Christoph Kukulies
Please show output from:
# egrep 'ifconfig|firewall|natd|gateway|ntpd' /etc/rc.conf
# cat /etc/natd.conf
# ipfw show
# netstat -finet -rn
cheers, Ian
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"