12.0 + pf NAT = sadness

Just looking for a sanity check: is anyone running 12.0 with pf providing NAT successfully?

My little router box has been working like a champ, but upon upgrade to 12.0, the PF NAT layer does pass any traffic. No change to the pf.conf in the process.

Thank goodness for boot environments!
 
Just looking for a sanity check: is anyone running 12.0 with pf providing NAT successfully?

My little router box has been working like a champ, but upon upgrade to 12.0, the PF NAT layer does pass any traffic. No change to the pf.conf in the process.

Thank goodness for boot environments!


hello Eric A. Borisch, i installed two BBB Wifi AP working as NAT pf, in Italy, a few days ago. It is working. I found the dchpd conf,is lightly changed in 12 ... i may check tomorrow, now on cell phone.
 
Just looking for a sanity check: is anyone running 12.0 with pf providing NAT successfully?
Code:
root@maelcum:~ # uname -a
FreeBSD maelcum.dicelan.home 12.0-STABLE FreeBSD 12.0-STABLE r342912 GENERIC  amd64
root@maelcum:~ # pfctl -sn
nat pass on em0 inet from 192.168.10.0/24 to any -> (em0) round-robin
nat pass on em0 inet from 10.0.1.0/24 to any -> (em0) round-robin
rdr pass on em0 inet proto udp from any to any port = 27016 -> 192.168.10.96 port 27016
rdr pass on em0 inet proto tcp from any to any port = 27016 -> 192.168.10.96 port 27016
rdr on em0 inet proto tcp from 185.10.51.26 to (em0) port = 9200 -> 192.168.10.197 port 9200
rdr pass on em0 inet proto tcp from 185.10.51.26 to any port = 10051 -> 192.168.10.200 port 10051
rdr-anchor "miniupnpd" all
 
I've been tracking 12-STABLE since it got branched off, I did have a period with some odd random panics but this seems to have been resolved since my last update. I never had any issues with NAT not working or not passing traffic though.
 
I have other 12.0 machines that are doing great, but none are providing NAT... back to poking at this, then. I do have interfaces that are getting renamed before PF starts, but other than that it's not too exotic.
 
I got a PF NAT also working in 12.0 over bridged LAN/WLAN. The only hiccup I had updating FreeBSD 11 --> 12 was the DHCP issue I posted. But that's somehow caused by mysterious 802.11n problems and turning off 802.11n fixed it (though Windows Wi-Fi machines could still work?). Only Adrian Chadd could understand how that's happening!
 
Just looking for a sanity check: is anyone running 12.0 with pf providing NAT successfully?

My little router box has been working like a champ, but upon upgrade to 12.0, the PF NAT layer does pass any traffic. No change to the pf.conf in the process.

Thank goodness for boot environments!

Check if all kernel modules are loaded. Sometimes after upgrade config files get messed up, for example I used graphics/drm-next-kmod for my graphics card and after the upgrade it became graphics/drm-fbsd12.0-kmod. Naturally, I had to uninstall the old port and install the new one.
 
Not sure this is a bug...
UE / AXE are drivers for USB NICs from ASIX
This kind of NICs have some limitations. You can't compare this very lightweight and cheaps "nic" to a professional Intel PCI card.

Most people in this forum use either high grade NICs in some servers, or usually the onboard wired NIC.

Limitations often occur on Wireless Nic and.... USB
For example, under Windows when I run Virtualbox, I can't use Bridge connexion on my wireless nic, it crashes.
I can only use it on onboard NIC

This was important for everyone to note that we are speaking here of USB NICs

You got me. I'm not using enterprise hardware for my home firewall box. ;)

As noted in the comments to the bug report, if_axe.c has hardly changed in this time, so while this is a USB chipset, the regression is (likely) somewhere else.

It's also not like this is something that I explicitly had enabled, either: the ifconfig_* line had default configurations previously (explicitly, it was SYNCDHCP) -- I had to add -txcsum to make it work in 12.0, but not in 11.2.

"It used to work, and now it doesn't" is a regression; USB device or otherwise...
 
I hate to necro threads. But I figured it would perhaps be justified in this case as I can confirm the regression is still present in the latest version of 12-STABLE.

But a big thank you Eric A. Borisch! I spent days ripping out my hair wondering wtf was going on with my PF config, it did not make any sense at all! [icmp packets were going through fine, but nothing else, which was really perplexing]. I ended up having to dig deeper into my hardware before including the axe driver in my search terms too.
 
I’m glad to hear it helped!

A comment on the bug report (linked above) will do more to help get it addressed. (I no longer have the hardware in question running.)
 
Back
Top