IPF IPFW iperf udp testing problem

Hello ..
Can somebody help me with this problem. I have IPFW + kernel NAT + dummynet... Problem is with iperf udp testing iI got no connection...

First ipfw rules :
Code:
#!/bin/sh
cmd="/sbin/ipfw -q"

# external interface
wan_if="ng0"

# internal interface
lan_if="bridge1"
vlan_wifi="vlan31"

# flush rules
$cmd flush
$cmd pipe flush

###upload
$cmd pipe 1 config bw 1Mbit/s
#$cmd queue 1 config pipe 1 weight 1 queue 100 mask src-ip 0xffffffff gred 0.002/17/51/0.1
#$cmd queue 4 config pipe 1 weight 30 queue 100 mask src-ip 0xffffffff gred 0.002/17/51/0.1
$cmd queue 4 config pipe 1 mask src-ip 0xffffffff gred 0.002/17/51/0.1

###download
$cmd pipe 2 config bw 3Mbit/s
#$cmd queue 2 config pipe 2 weight 1  queue 100 mask dst-ip 0xffffffff gred 0.002/17/51/0.1
#$cmd queue 3 config pipe 2 weight 30 queue 100 mask dst-ip 0xffffffff gred 0.002/17/51/0.1
$cmd queue 3 config pipe 2 mask dst-ip 0xffffffff gred 0.002/17/51/0.1


$cmd add 8 deny ip from any to any not antispoof in
# allow on localhost
$cmd add 9 deny all from any to any frag
$cmd add 10 allow ip from any to any via lo0

##$cmd add 11 allow ip from any to any via bridge0
##$cmd add 12 allow ip from any to any via re2
##$cmd add 13 allow ip from any to any via re1
##$cmd add 14 allow ip from any to any via vlan101

# deny on 127.0.0.0/8
$cmd add 20 deny ip from any to 127.0.0.0/8
$cmd add 21 deny ip from 127.0.0.0/8 to any

###natiranje
$cmd nat 1 config if $wan_if unreg_only same_ports \
   redirect_port udp 10.10.1.20:162 162 \
   redirect_port udp 10.10.1.20:161 161
$cmd add 50 nat 1 all from any to any in recv $wan_if
$cmd add 51 nat 1 all from any to any out xmit $wan_if

##freebsd moze di hoce
#$cmd add 20 allow ip from any to me
#$cmd add 30 allow ip from me to any

####download
$cmd add 101 queue 3 ip from any to 10.31.1.0/24 in recv $wan_if
####upload
$cmd add 103 queue 4 ip from 10.31.1.0/24 to any via $vlan_wifi


###zabrane za wifi prema lan-u i managementu
$cmd add 150 deny all from 10.31.1.0/24 to 192.168.1.0/24
$cmd add 151 deny all from 10.31.1.0/24 to 10.10.1.0/24

####statefull
$cmd add 200 check-state
$cmd add 201 allow tcp from any to any established
##$cmd add 202 allow all from any to any out keep-state

####dozvola za FreeBSD
$cmd add 300 allow tcp from me to any out xmit $wan_if setup keep-state
$cmd add 301 allow udp from me to any out xmit $wan_if keep-state
$cmd add 302 allow icmp from any to any icmptypes 0,3,8,11 keep-state
$cmd add 400 allow tcp from any to me 22 in via $wan_if setup keep-state
$cmd add 401 unreach port udp from any to me 33435-33524
$cmd add 404 allow log udp from any to me 5001 keep-state

###ostala pravila za lan
$cmd add 1200 allow tcp from 192.168.1.0/24 to any setup keep-state
$cmd add 1201 allow udp from 192.168.1.0/24 to any keep-state
$cmd add 1202 allow ip from any to 192.168.1.0/24
$cmd add 1203 allow gre from any to any

###za wifi
$cmd add 1404 allow tcp from 10.31.1.0/24 to any setup keep-state
$cmd add 1405 allow udp from 10.31.1.0/24 to any keep-state
$cmd add 1406 allow ip from any to 10.31.1.0/24

###za wifi management
$cmd add 1500 allow tcp from 10.10.1.0/24 to any setup keep-state
$cmd add 1501 allow udp from 10.10.1.0/24 to any keep-state
$cmd add 1502 allow ip from any to 10.10.1.0/24


$cmd add 65000 drop log all from any to any

iperf -s -u

Code:
------------------------------------------------------------
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size: 0.04 MByte (default)
------------------------------------------------------------

And in log iI got this:
Code:
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55517:1472@0+)
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55518:1472@0+)
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55519:1472@0+)
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55520:1472@0+)
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55521:1472@0+)
Sep 15 14:38:08 cr-jug2 kernel: ipfw: 404 Accept UDP 213.191.144.35:42244 89.172.236.16:5001 in via ng0 (frag 55522:1472@0+)

But there is no incoming connection from iperf displayed in output... Disabling ipfw and starting pf (with rules to pass incoming udp to port 5001) everything is working properly or without any firewall iperf works OK.
 
Fixed... in line 9 iI block fragmentation...

Code:
$cmd add 9 deny all from any to any frag

Replaced with:
Code:
$cmd add 9 allow udp from any to me frag
or
$cmd add 9 reass udp from any to me

iperf -s -u

Code:
------------------------------------------------------------
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size: 41.1 KByte (default)
------------------------------------------------------------
[  3] local 89.172.236.16 port 5001 connected with 213.191.144.35 port 39582
[ ID] Interval       Transfer     Bandwidth        Jitter   Lost/Total Datagrams
[  3]  0.0-10.0 sec  11.9 MBytes  10.0 Mbits/sec   0.222 ms    0/ 8504 (0%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order
 
Back
Top