IPFW About IPFW NAT...

bleakwind

Member

Reaction score: 3
Messages: 38

I'm running vm-bhyve on freebsd11.1. one IP on igb0.

# ifconfig
Code:
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
        ether 6c:ae:8b:60:07:ca
        hwaddr 6c:ae:8b:60:07:ca
        inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vm-public
        ether 02:62:3b:2e:55:00
        inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 8 priority 128 path cost 2000000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vmnet-windows2008-0-public
        options=80000<LINKSTATE>
        ether 00:bd:f7:4b:f8:00
        hwaddr 00:bd:f7:4b:f8:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        groups: tap
        Opened by PID 1344
# vi /etc/rc.conf
Code:
ifconfig_igb0="inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="igb0"

vm_enable="YES"
vm_dir="zfs:zroot/vm"
vm_list=""
vm_delay="10"
# vi /etc/sysctl.conf
Code:
net.link.tap.up_on_open=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1
# vi /home/ipfw/ipfw.rules
Code:
ipfw nat 10 config ip 192.168.1.201
ipfw add 151 nat 10 ip from 192.168.8.1/24 to any out via igb0
ipfw add 152 nat 10 ip from any to any in via igb0
ipfw add 800 allow ip from any to any
Host: 192.168.1.201
Bridge0: 192.168.8.1
Client: 192.168.8.202
And the client can't access outside network. and the redirect_port also did not work.

How can I fix this? Thanks for help!
 
Last edited:

ComradeSlice

Member

Reaction score: 9
Messages: 55

Does your kernel have the IPDIVERT option? I think you also need:

/etc/rc.conf
Code:
natd_enable="YES"
natd_interface="igb0"
natd_flags="-dynamic -m" # -m preserves port numbers
 
OP
OP
B

bleakwind

Member

Reaction score: 3
Messages: 38

Does your kernel have the IPDIVERT option? I think you also need:

/etc/rc.conf
Code:
natd_enable="YES"
natd_interface="igb0"
natd_flags="-dynamic -m" # -m preserves port numbers
Thanks for your reply.
I use firewall_nat for nat, It does not need natd.
I know pf is much simpler than ipfw, but I use ipfw before, and don't want change to pf, I just want ipfw and kernel nat ipfw_nat do this.
I think the ipfw_nat rule something not right.

anyway, thanks for help.
 
Last edited:

ComradeSlice

Member

Reaction score: 9
Messages: 55

I believe you still need certain kernel options if you want to stick with ipfw nat. Do you have IPDIVERT in your kernel or ipdivert_load="YES" in your loader.conf? Do you have IPFIREWALL_NAT in your kernel?

These are all the kernel options associated with ipfw. I just did a LINT to check them:

options MROUTING
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_NAT
options IPFIREWALL_NAT64
options IPFIREWALL_NPTV6
options IPDIVERT

Which of these do you have in your kernel?
 
OP
OP
B

bleakwind

Member

Reaction score: 3
Messages: 38

I believe you still need certain kernel options if you want to stick with ipfw nat. Do you have IPDIVERT in your kernel or ipdivert_load="YES" in your loader.conf? Do you have IPFIREWALL_NAT in your kernel?

These are all the kernel options associated with ipfw. I just did a LINT to check them:

options MROUTING
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_NAT
options IPFIREWALL_NAT64
options IPFIREWALL_NPTV6
options IPDIVERT

Which of these do you have in your kernel?
As I know, if use ipfw and ipfw_nat, don't need ipdivert and natd.Only need one of them.

Also you don't need put ipdivert in kernel, just load them, link this:

Code:
# vi /etc/rc.conf 
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
                                                     
firewall_nat_enable="YES"                            
firewall_nat_interface="alc0"

# vi /boot/loader.conf
libalias_load="YES"
But I can't use ipfw_nat well, and there is no info to find.
 

ComradeSlice

Member

Reaction score: 9
Messages: 55

I am trying to help you. I know there is barely any documentation on this feature.

Do you have "options IPFIREWALL_NAT" in your kernel? This is not for natd. This is for ipfw's nat. I had to dig through the source tree to verify this.

There is a file in the tree called "netpfil/ipfw/ip_fw_nat.c". It is optional. It only gets compiled if you have this option. This file provides the ipfw_nat module. I'm willing to bet this is why it does not work for you.
 
OP
OP
B

bleakwind

Member

Reaction score: 3
Messages: 38

I know you help me, and thanks again!

if you put this in /etc/rc.conf
Code:
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/pub/admin/ipfw/ipfw.rules"

gateway_enable="YES"

firewall_nat_enable="YES"
firewall_nat_interface="alc0"
ipfw and ipfw_nat will open. you can kldstat see it:
Code:
# kldstat
Id Refs Address            Size     Name
 1   27 0xffffffff80200000 1f67a88  kernel
 2    1 0xffffffff82169000 316708   zfs.ko
 3    2 0xffffffff82480000 cb78     opensolaris.ko
 4    1 0xffffffff8248d000 aac8     if_tap.ko
 5    1 0xffffffff82498000 11ea0    if_bridge.ko
 6    2 0xffffffff824aa000 9148     bridgestp.ko
 7    2 0xffffffff824b4000 17288    libalias.ko
 8    1 0xffffffff824cc000 35b060   vmm.ko
 9    1 0xffffffff82828000 5058     nmdm.ko
10    2 0xffffffff82f11000 23528    ipfw.ko
11    1 0xffffffff82f35000 5c2f     ipfw_nat.ko
 

ComradeSlice

Member

Reaction score: 9
Messages: 55

I didn't know they had a kernel module for that. I had assumed it had to be built in. There is so little documentation on this it's annoying. Want to try tcpdump? Take a capture of you trying to use the NAT and pipe it to a file. Search for the packets that are being sent/dropped/lost and post a few. If you're connecting via SSH (because it'll generate tons of packets) or want to negate some specific traffic here's the general syntax:

Code:
sudo tcpdump -i igb0 "src port not ssh && dst port not ssh"
 
OP
OP
B

bleakwind

Member

Reaction score: 3
Messages: 38

On top I change the posts, now I set the network like pf way.

Host: 192.168.1.201
Bridge0: 192.168.8.1
Client: 192.168.8.202

Code:
# vi /etc/rc.conf
ifconfig_igb0="inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
firewall_script="/home/ipfw/ipfw.rules"

gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="igb0"

vm_enable="YES"
vm_dir="zfs:zroot/vm"
vm_list=""
vm_delay="10"

# vi /etc/sysctl.conf
net.link.tap.up_on_open=1
net.inet.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1

# vi /home/ipfw/ipfw.rules
ipfw nat 10 config ip 192.168.1.201
ipfw add 151 nat 10 ip from 192.168.8.1/24 to any out via igb0
ipfw add 152 nat 10 ip from any to any in via igb0
ipfw add 800 allow ip from any to any

# ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
        ether 6c:ae:8b:60:07:ca
        hwaddr 6c:ae:8b:60:07:ca
        inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vm-public
        ether 02:62:3b:2e:55:00
        inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 8 priority 128 path cost 2000000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vmnet-windows2008-0-public
        options=80000<LINKSTATE>
        ether 00:bd:f7:4b:f8:00
        hwaddr 00:bd:f7:4b:f8:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        groups: tap
        Opened by PID 1344
And on client can ping 192.168.8.1.
But still can't ping outside network like 8.8.8.8.
 

ComradeSlice

Member

Reaction score: 9
Messages: 55

I would try tcpdump. They say you can fix any firewall problems with some time spent in tcpdump :)

You could also try filtering on ping:

Code:
tcpdump -i igb0 "proto \icmp"
(icmp is a keyword so it needs to be escaped)

Run that and try pinging an outside IP in another session. Post what the results are.
 
OP
OP
B

bleakwind

Member

Reaction score: 3
Messages: 38

I would try tcpdump. They say you can fix any firewall problems with some time spent in tcpdump :)

You could also try filtering on ping:

Code:
tcpdump -i igb0 "proto \icmp"
(icmp is a keyword so it needs to be escaped)

Run that and try pinging an outside IP in another session. Post what the results are.
Thank you very much. but this afternoon I just spend 3 hour move ipfw to pf, include all my firewall rules, and it's work very well. :)
But sometime if I have time, I still will try ipfw_nat, and test it until ipfw_nat can work!

And anyone have any idea, reply this topic, I would be very grateful.
 
Top