9.1 not routing

[gjpc]

Please help.

I have replaced a 8.x FreeBSD router with a 9.1. The machine refuses to route. Here is my rc.conf:

hostname="valcor.ob1net.net"

ifconfig_em0=" inet 173.13.184.18 netmask 255.255.255.248"
ifconfig_em1=" inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_em1_alias0=" inet 10.25.0.3 netmask  255.255.0.0"

defaultrouter="173.13.184.22"
gateway_enable="YES"

firewall_enable="YES"
firewall_type="OPEN"

natd_enable="YES"
natd_interface="em0"
natd_flags="-m -s"

sshd_enable="YES"
usbd_enable="YES"

ntpd_enable="YES"
ntpd_sync_on_start="YES"
ntpdate_enable="YES"

apache22_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

bb_enable="YES"

ipfw list:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

uname -a:

FreeBSD valcor.ob1net.net 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec  4 06:55:39 UTC 2012     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

The machine is connected to the internet. Other machines using this machine as the gateway have their traceroute's terminate at 10.0.0.1.

Need we build a custom routing kernel like in the old days?

 

[phoenix]

10.x.x.x addresses are non-routable. You have to NAT to a routable address.

 

[gjpc]

The old 8.x rc.conf:

# -- sysinstall generated deltas -- # Sat Jul 23 06:15:56 2005
# Created: Sat Jul 23 06:15:56 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

defaultrouter="173.13.184.22"
gateway_enable="YES"
hostname="Valcor.OB1Net.net"

ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 10.25.0.3 netmask 255.255.0.0"
fconfig_rl0_alias1="inet 10.0.0.1 netmask 255.255.255.0"

ifconfig_dc0="inet 173.13.184.18 netmask 255.255.255.248"

inetd_enable="YES"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
usbd_enable="YES"
apache21_enable="YES"


# here are the nat entries
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="dc0"
natd_flags="-m -s"

ntpd_enable="YES"
ntpd_sync_on_start="YES"

ntop_enable="NO"

#Clear specific hosts for monitoring wimax
static_routes="modem clear"
route_modem="-net 10.100.0.0/24 10.0.0.2"
route_clear="-host 71.22.8.249 10.0.0.2"

dc0 is on the internet and is the natd interface.

On the 8.x machine rl0 was 10.0.0.1 and 10.25.0.0.3, the two internal addresses. The packets sent here were routed to dc0. The old machine had dc0 on the internet which was the natd interface.

Would you please elaborate?

 

[dave]

I'm not a routing expert, but it seems to me that denying the loopback interface (ipfw rule #200 and #300) would be problematic. Is there a reason you are doing that?

 

[gjpc]

My working router on 8.2 has the 2 same ipfw rules:

00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any

They are part of the standard install.

 

[kpa]

Those rules are part of standard spoof protection, packets to/from 127.0.0.0/8 on any other interface but lo(4) are bogus.

 

[gjpc]

Solved

At last I found the problem.

ipfw_load="YES"
ipdivert_load="YES"
net.inet.ip.fw.default_to_accept="1"

were not in /boot/loader.conf.