Do you have a FreeBSD NAT gateway? - BSD

This is a discussion on Do you have a FreeBSD NAT gateway? - BSD ; Hello Everyone, I didn't have luck with an earlier posting here, regarding a specific problem with my clients behind a FreeBSD gateway using pf and the built-in NAT service of pf. I thought perhaps generalizing the question will yield some ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Do you have a FreeBSD NAT gateway?

  1. Do you have a FreeBSD NAT gateway?

    Hello Everyone,
    I didn't have luck with an earlier posting here, regarding a specific
    problem with my clients behind a FreeBSD gateway using pf and the built-in
    NAT service of pf.

    I thought perhaps generalizing the question will yield some response.

    There surely must be some of you sharing a DSL/Cable internet connection
    using a FreeBSD gateway machine.

    Does it work properly for you?

    My Mac mini behind the NAT gateway has strange connection problems. In
    general, the inetrnet access does works. The majority of webpages (like
    www.freebsd.org, www.hu.freebsd.org, or fsn.hu) appear to work the same
    way as the mini had the direct connection. But there are some webpages
    which are extremely slow to load, although they do show up finally. Also,
    if I click on a pdf or zip URL to download a file, the download shows up
    in Safari's download manager immediately and then the progress bar doesn't
    move for about 50-120 seconds, after which it starts and quite quickly
    downloads the file as usual. I also found one specific website which never
    works from behind the NAT gateway and drops up some kind of timeout error
    as: “lost network connection” (NSURLErrorDomain:-1005), like the site
    wouldn't even exist. It perfectly works when the mini is directly on the
    internet.
    Have you ever experienced similar issues?

    For those of you who have a FreeBSD NAT gateway working fine, how did you
    do it? Do you use the NAT feature of pf or do you use the NAT at the OS
    level (I mean the enable_nat="YES" in rc.conf)?

    Do you also run named on the gateway?
    As to me my problems seem to be related to the time the connection is
    established between the internal client and the external host across the
    gateway. Once that is done, the data exchange seems to work fine. I wonder
    if using a caching-named would improve (maybe even solve) my problems.

    My gateway runs FreeBSD 6.2-PRERELEASE, built world about a week ago after
    syncing the source to RELENG_6 after a general install from a 6.1R CD.

    I would be greatful for any comment, ide or suggestion on this topic!
    My entire pf.conf and rc.conf is available for request.

    Regards,
    Keve

    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  2. Re: Do you have a FreeBSD NAT gateway?

    Keve Nagy wrote:
    > There surely must be some of you sharing a DSL/Cable internet connection
    > using a FreeBSD gateway machine.


    Yep, I do that.
    My setup is as follows: my xDSL provider provides a router, not a modem,
    which means that it does NAT already at the router.
    I have configured the xDSL router to forward all ports (or at least all
    ports I'm interested in) to my firewall / NAT gateway.
    In addition, I also had to add rules to this router to let it pass the
    traffic that I'm interested in (example: for http I have one "pass
    traffic" rule and one "forward this to ip" rule. Get it?)
    The firewall / NAT gateway (this is the FreeBSD box) sits between the
    xDSL router and the switch to my network
    This box also does NAT (using natd) and firewalling (using ipfw).
    So in effect, I do double NAT. Works for me.

    In addition, I run named (local zone + forwarders) on the box.


    > Does it work properly for you?


    Yes, it does.

    > My Mac mini behind the NAT gateway has strange connection problems. In
    > general, the inetrnet access does works. The majority of webpages (like
    > www.freebsd.org, www.hu.freebsd.org, or fsn.hu) appear to work the same
    > way as the mini had the direct connection. But there are some webpages
    > which are extremely slow to load, although they do show up finally.
    > Also, if I click on a pdf or zip URL to download a file, the download
    > shows up in Safari's download manager immediately and then the progress
    > bar doesn't move for about 50-120 seconds, after which it starts and


    Hmm, if I were you I would look for DNS issues. How to do that under OSX
    I don't know.

    > Have you ever experienced similar issues?


    Nope, my network was already working properly when I installed my Mac mini.

    > For those of you who have a FreeBSD NAT gateway working fine, how did
    > you do it? Do you use the NAT feature of pf or do you use the NAT at the
    > OS level (I mean the enable_nat="YES" in rc.conf)?


    Eh... ummm.. My gateway isn't running the newest version of FreeBSD, I'm
    using natd and ipfw.
    If you are using pf my guess is that it would make sense to use both
    firewall and nat in pf, because you would have only one place to update
    your rules when you must change / add something.


    > Do you also run named on the gateway?


    Yep, see above.

    > As to me my problems seem to be related to the time the connection is
    > established between the internal client and the external host across the
    > gateway. Once that is done, the data exchange seems to work fine. I
    > wonder if using a caching-named would improve (maybe even solve) my
    > problems.


    Probably, if that is were the problem is.
    Which takes longer for you; setting up a caching dns on you gateway, or
    testing for dns problems on your Mac mini?

    Very often, issues relating to long startup times (ie.long times to
    initiate connections) are DNS issues.
    Today, a network needs working dns, there are just too many services
    (web, ssh, mail, etc.) that rely on a working dns setup.
    When you test for dns issues, always remember to the both the forward
    (name to ip address) and the reverse (ip address to name) dns lookup
    --
    Torfinn Ingolfsen,
    Norway

  3. Re: Do you have a FreeBSD NAT gateway?

    Keve Nagy wrote:
    >For those of you who have a FreeBSD NAT gateway working fine, how did
    >you do it? Do you use the NAT feature of pf or do you use the NAT at
    >the OS level (I mean the enable_nat="YES" in rc.conf)?


    I've had a NAT gateway for, oh, 6 years or so. First with ipfw, then with
    ipf. For a while I ran it with one interface connected to the same switch
    as the other computers; the switch was connected to upstream.
    A static ARP and good packetfilters are a must in this configuration.

    Now I run it with two interfaces and the switch is the back-end network.
    I run named, a private DHCP server and a slew of other services on the
    gateway. The OS is RELENG_6. The only problems I have are rcorder
    problems (dhclient starts before the interfaces are up, etc.).

    I have never encountered the problems you describe. The only advice I
    van give is to upse tcpdump and similar tools.

    >As to me my problems seem to be related to the time the connection is
    >established between the internal client and the external host across
    >the gateway. Once that is done, the data exchange seems to work fine.
    >I wonder if using a caching-named would improve (maybe even solve) my
    >problems.


    Unlikely, unless your hardware is VAX vintage; a i486DX-100 can completely
    saturate 20 Mbit full-duplex ethernet.


    scs

    Here is my config:

    outside <=> fxp0 = outside, static IP for the moment.
    |
    | (ipf, ipnat)
    |
    switch <=> sis0 = inside, static IP for the moment.


    Some relevant, censored, info from my config files:

    8<--
    # /etc/sysctl.conf

    # 20060116: Despite some furious rewriting by Andre Opperman, enabling
    # the fastforwarding speed optimizations still breaks my ipnat setup.
    net.inet.ip.fastforwarding=0

    8<--
    # /etc/rc.conf
    hostname="MY_FANTASTIC_HOSTNAME"

    dhclient_enable="YES"
    dhclient_program="/sbin/dhclient" # Path to dhcp client program.
    dhclient_flags="-c /usr/local/etc/dhcp/dhclient.conf -l /var/db/dhcp/dhclient.leases"
    background_dhclient="YES" # Start dhcp client in the background.

    ## ipfw
    firewall_enable="NO" # Set to YES to enable firewall functionality
    ## ipfw

    ## ipfilter
    ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
    ipfilter_program="/sbin/ipf" # where the ipfilter program lives
    # see /usr/src/contrib/ipfilter/rules for examples
    ipfilter_rules="/usr/local/etc/ipf.rules"
    ipfilter_flags=""

    ipnat_enable="YES" # Set to YES to enable ipnat functionality
    ipnat_program="/sbin/ipnat" # where the ipnat program lives
    ipnat_rules="/usr/local/etc/ipnat.rules"
    ipnat_flags=""

    ipmon_enable="YES" # Set to YES for ipmon; needs ipfilter or ipnat
    ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
    ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"

    tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions.
    log_in_vain="0" # >=1 to log connects to ports w/o listeners.
    tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).
    # For the following option you need to have TCP_DROP_SYNFIN set in your
    # kernel. Please refer to LINT and NOTES for details.
    tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
    icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets
    icmp_log_redirect="YES" # Set to YES to log ICMP REDIRECT packets

    # List of network interfaces (or "auto").
    network_interfaces="auto"

    # Loopback (Always set this!)
    ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.

    # Intel Ether Express 100/10
    #ifconfig_fxp0="DHCP link0"
    ifconfig_fxp0="inet 666.666.666.666/66 link0 polling"

    # SiS 900 Fast Ethernet
    #ifconfig_sis0="DHCP link0"
    ifconfig_sis0="inet 10.10.10.3/27 polling"
    ifconfig_sis0_alias0="inet 10.10.10.1/32 polling"

    #
    named_enable="YES" # Run named, the DNS server (or NO).
    named_program="/usr/sbin/named" # path to named, if you want a different one.
    #named_flags="" # Flags for named
    named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
    named_uid="bind" # User to run named as
    named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it)
    named_chroot_autoupdate="YES" # Automatically install/update chrooted
    # components of named. See /etc/rc.d/named.
    named_symlink_enable="YES" # Symlink the chrooted pid file

    ### Network routing options: ###
    # Set to default gateway (or NO).
    defaultrouter="777.777.777.777"
    # Set to static route list (or leave empty).
    # -> THis is neccessary for DHCP + BOOTP
    static_routes="broadc"
    route_broadc="-net 255.255.255.255 10.10.10.1 -interface"

    gateway_enable="YES" # Set to YES if this host will be a gateway.
    arpproxy_all="NO" # replaces obsolete kernel option ARP_PROXYALL.
    forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES")
    accept_sourceroute="NO" # accept source routed packets to us

    ### Miscellaneous network options: ###
    icmp_bmcastecho="NO" # respond to broadcast ping packets

    8<--
    # ipnat
    # XXX: 0.0.0.0/32 means 'the address at run-time'

    # Note: if we want to access services on the same machine that runs
    # ipnat, we _must_ except the internal ip adresses from the machine
    # from mapping. Unfortunately with ipfilter there is no compact way.
    # If we try to be clever, this file can't be simply edited if there's
    # change in topology.

    # map "external iface" "internal ip range" -> "whatever external ip"
    #map fxp0 10.10.10.0/27 -> 0/32 portmap tcp/udp auto
    #map fxp0 10.10.10.0/27 -> 0/32

    # 20060116: this does not work; the destination ip (e.g. 10.10.10.1)
    # is translated _before_ the matching rule.
    #map fxp0 from 10.10.10.0/27 ! to 10.10.10.1/32 -> 0/32 portmap tcp/udp auto
    #
    #map fxp0 10.10.10.1/32 -> 0/32 portmap tcp/udp auto
    map fxp0 10.10.10.2/32 -> 0/32 portmap tcp/udp auto
    # etc
    8<--

  4. Re: Do you have a FreeBSD NAT gateway?

    Hello!

    Keve Nagy wrote:

    > My Mac mini behind the NAT gateway has strange connection problems. In
    > general, the inetrnet access does works. The majority of webpages (like
    > www.freebsd.org, www.hu.freebsd.org, or fsn.hu) appear to work the same
    > way as the mini had the direct connection. But there are some webpages
    > which are extremely slow to load, although they do show up finally. Also,
    > if I click on a pdf or zip URL to download a file, the download shows up
    > in Safari's download manager immediately and then the progress bar doesn't
    > move for about 50-120 seconds, after which it starts and quite quickly
    > downloads the file as usual.


    Your DSL connection probably uses an MTU smaller than 1500 and
    you are running into problems caused by either you or some
    web server's admin blocking ICMP "fragmentation needed" messages.
    Or both of you ;-)

    I'm almost 100% sure about that, given the symptoms you describe.

    Solution:

    # cd /usr/ports/net/tcpmssd
    # make install clean
    # man tcpmssd

    For the record: I'm running NAT, ipfw, IPSec VPN, named, FreeRADIUS
    all on a Soekris Net4801 device that features 128 MB of DRAM.
    FreeBSD 6.2-RC1, currently. Works like a charm.

    HTH,
    Patrick
    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de

  5. Re: Do you have a FreeBSD NAT gateway?

    Hi again, Everyone!

    Many thanks for your responses, I really appreciate the help.
    Your replies kind of confirmed what I was afraid of. People who use a
    FreeBSD NAT gateway do that the traditional way, either by natd or ipnat
    usually depending on their firewall being ipf or ipfw.

    Using pf is relatively new in FreeBSD, and using pf with its own nat
    functions appears really pioneering. I feel a bit lonely in my crusade to
    get it working. Unfortunately I have way too much time invested in
    learning pf and generally nothing in ipf and ipfw.

    So I either keep going with my crusade and try to get pf+pfnat working, or
    I abandon this plan entirely and use one of the proven ways with a
    different firewall and either natd or ipnat.
    Neither of these options seems attractive. Maybe I am just too tired.
    I give it some sleep and see how I feel about it tomorrow.
    Somehow, I feel tempted to recycle the whole gateway machine and buy a
    home router box from D-Link or Edimax and use that. But where is my
    pioneering, my pride, my mental improvement and my joy then?

    Well, on second though ...
    pioneering : find out how simple it is with a home router box
    pride : problem solved fast and easy
    mental improvement : recognise to drive on the paved road
    joy : finally it works

    So my argument quickly backfired. I really need to sleep!

    Good night!
    Keve

    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  6. Re: Do you have a FreeBSD NAT gateway?

    Patrick M. Hausen wrote:
    > Your DSL connection probably uses an MTU smaller than 1500 and
    > you are running into problems caused by either you or some
    > web server's admin blocking ICMP "fragmentation needed" messages.
    > Or both of you ;-)
    >
    > I'm almost 100% sure about that, given the symptoms you describe.


    Interesting, unexpected, but logical.
    And such ideas are always welcome here!

    This could mean that I may not have any trouble around pf and its nat
    functions, which could really save me a lot of time and effort.

    Unfortunately this MTU thing is beyound my knowledge, and I don't know
    exactly what MTU my ISP is using, but I know one related thing for sure:
    The current PPPoE settings in my DSL modem are the following-
    MTU 1400 bytes
    MRU 1492 bytes

    These were the default values, and since I didn't know what these are (and
    the ISP support refused to give me any help with these values, probably
    due to the fact that the guy had no idea either regarding what these are)
    I left them as I found them.
    I don't know if it is really what the ISP uses, but this is what my modem
    is set for at the moment. Could I solve my prolems by increasing this to a
    value higher than 1500? Too risky to try.
    Anyway, 1400 is definitely less than 1500, here is where your theory is
    proven.

    > Solution:
    >
    > # cd /usr/ports/net/tcpmssd
    > # make install clean
    > # man tcpmssd


    Great idea, I didn't know about this useful port before!
    BUT, before I start playing with it, I have a question which doubts the
    MTU theory. If my problem is really MTU related, shouldn't I have the same
    connection issues when the Mac mini is directly connecting to the DSL
    modem (the modem does built-in PPPoE)?
    Or having it rephrased, if the trouble is caused by my
    gateway/firewall/router machine by dropping those ICMP messages, shouldn't
    the problem disappear by opening up the firewall temporarily (disable all
    filtering rules)?

    > For the record: I'm running NAT, ipfw, IPSec VPN, named, FreeRADIUS
    > all on a Soekris Net4801 device that features 128 MB of DRAM.
    > FreeBSD 6.2-RC1, currently. Works like a charm.


    Nice job!
    I was also considering to build one of those, for similar (and less)
    purposes. It is good to know that it can be done and it works fine.


    Patrick, your suggestion is very much appreciated!
    I will study the recommended port and run some tests to see if it solves
    my problems, which I really-really hope!

    Thank you!

    Best regards,
    Keve

    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

  7. Re: Do you have a FreeBSD NAT gateway?

    Keve Nagy wrote:
    >
    > Using pf is relatively new in FreeBSD, and using pf with its own nat
    > functions appears really pioneering. I feel a bit lonely in my crusade to
    > get it working. Unfortunately I have way too much time invested in
    > learning pf and generally nothing in ipf and ipfw.
    >
    > So I either keep going with my crusade and try to get pf+pfnat working, or
    > I abandon this plan entirely and use one of the proven ways with a
    > different firewall and either natd or ipnat.
    > Neither of these options seems attractive. Maybe I am just too tired.
    > I give it some sleep and see how I feel about it tomorrow.
    > Somehow, I feel tempted to recycle the whole gateway machine and buy a
    > home router box from D-Link or Edimax and use that. But where is my
    > pioneering, my pride, my mental improvement and my joy then?


    Look at pfsense.org. Probably you can figure out what they have set up
    from their source or maybe by looking at a running system. Or just use
    it as-is.

    --
    Warren Block * Rapid City, South Dakota * USA

  8. Re: Do you have a FreeBSD NAT gateway?

    Hi!

    Keve Nagy wrote:

    > Unfortunately this MTU thing is beyound my knowledge, and I don't know
    > exactly what MTU my ISP is using, but I know one related thing for sure:
    > The current PPPoE settings in my DSL modem are the following-
    > MTU 1400 bytes
    > MRU 1492 bytes


    So, it is smaller than 1500 - the standard MTU of the Ethernet
    connecting your Mac Mini and your FreeBSD box.

    > Great idea, I didn't know about this useful port before!
    > BUT, before I start playing with it, I have a question which doubts the
    > MTU theory. If my problem is really MTU related, shouldn't I have the same
    > connection issues when the Mac mini is directly connecting to the DSL
    > modem (the modem does built-in PPPoE)?


    No, if your Mac Mini connects directly, it gets the smaller MTU.
    If it connects through your FreeBSD router, it doesn't.

    > Or having it rephrased, if the trouble is caused by my
    > gateway/firewall/router machine by dropping those ICMP messages, shouldn't
    > the problem disappear by opening up the firewall temporarily (disable all
    > filtering rules)?


    Maybe. This depends on which end of your connection is the
    culprit. If it's your firewall, then open it for a short period
    and run some tests. Then adapt it apropriately. You don't want
    to block ICMP, in general.
    If it's the firewall in front of the web server you are connecting
    to, you are out of luck - you need to adapt the MSS of the clients
    internal to your firewall/router.

    Unfortunately I don't know a bit about pf and how it does NAT
    and if it supports MSS manipulation. I'm using ipfw, natd and
    tcpmssd, because that was more in the "mainstream" of FreeBSD.

    Kind regards,
    Patrick
    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de

  9. Re: Do you have a FreeBSD NAT gateway?

    On Tue, 28 Nov 2006 14:43:21 +0100, Keve Nagy wrote:

    > Hello Everyone,
    > I didn't have luck with an earlier posting here, regarding a specific
    > problem with my clients behind a FreeBSD gateway using pf and the built-in
    > NAT service of pf.
    >
    > I thought perhaps generalizing the question will yield some response.
    >
    > There surely must be some of you sharing a DSL/Cable internet connection
    > using a FreeBSD gateway machine.
    >
    > Does it work properly for you?
    >


    Yes. I'm using a D-Link DSL-300T in bridge mode, via mpd so the BSD box
    gets the public IP (Two NICs, one with no address connected to the
    DSL-300, second NIC on the LAN). I use dnsmasq for DHCP and DNS resolution
    for LAN hosts. Some services are port forwarded to LAN hosts. Currently
    using ipfw and natd, but ipf and ipnat have also worked. 6.2-PRERELEASE
    with custom kernel on an old 900 MHz Compaq P3 with 512 Mb. Runs Asterisk
    too, and maintains VPNs to other FBSD systems (again with mpd).

    Sounds like you may be suffering from an MTU that's too large - mine is
    set to 1492 - but the symptoms you describe are typical. Hosts on my LAN
    are a couple of Windows (XP and 2000) machines, an assortment of SPARCs
    with NetBSD or Linux (Gentoo), i386es with FBSD 6.x. Everything works.

    I've successfully run similar gateway setups on old 486DX 100s and FBSD
    4.x.

    -Adrian


  10. Re: Do you have a FreeBSD NAT gateway?

    Keve Nagy wrote:
    If you are interested in the details and outcomes of this thread, please
    join us in my related thread with the subject "How to set up ipfw for
    tcpmssd?".

    Regards,
    Keve

    --
    if you need to reply directly:
    keve(at)mail(dot)poliod(dot)hu

+ Reply to Thread