Hello,
This is my system:
Where NAT_KERNEL is GENERIC kernel with included:
/usr/src/sys/i386/conf/GENERIC:
This is the part /etc/rc.conf that concerns the firewall:
And finaly the confs:
/etc/natd.cond:
/etc/ipfw.conf:
So far, so good. Everything is working perfect so far. The trouble is that when I reboot my system, the NAT-ing just stop. I am not sure if the problem is in the NAT, or it is in the IP Forwarding. However the firewall rules are loaded (checked with cmd ipfw show) , the natd(8) daemon is running, but hosts behind the server are not able to reach other networks.
I fix it with:
After I execute this, the firewall rulles remains the same. ipfw show gives the same output.
This for sure read the same config file, also restart natd(8) and read the same natd.conf. But after restarting manualy the ipfw, everything works fine.
After few reboots, I got tired and put this in /etc/rc.local. And also no problem, now when system boot, everything works fine.
However I want to know if anybody else had the same issue and did you find another better solution. Because I know that /etc/rc.local is very ugly work around and shouldn't be used. I want to know where is the problem because the config files are the same and the firewall rules are the same, but something doesn't work right after boot.
Thank you.
This is my system:
Code:
FreeBSD my.domain.com 8.1-RELEASE FreeBSD 8.1-RELEASE #1: Mon Mar 19 13:59:52 EET 2012 [email]root@my.domain.com[/email]:/usr/obj/usr/src/sys/NAT_KERNEL i386Where NAT_KERNEL is GENERIC kernel with included:
/usr/src/sys/i386/conf/GENERIC:
Code:
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options DUMMYNETThis is the part /etc/rc.conf that concerns the firewall:
Code:
ifconfig_bfe0="inet 99.99.99.99 netmask 255.255.255.224"
cloned_interfaces="vlan0 vlan1 vlan2"
ifconfig_vlan0="inet 192.168.20.1 netmask 255.255.255.0 vlan 5 vlandev rl0"
ifconfig_vlan1="inet 192.168.60.1 netmask 255.255.255.0 vlan 6 vlandev rl0"
ifconfig_vlan2="inet 192.168.80.1 netmask 255.255.255.0 vlan 7 vlandev rl0"
ifconfig_rl0="up"
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_quiet="NO"
gateway_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="vlan0 vlan1 vlan2"
natd_enable="YES"
natd_interface="bfe0"
natd_flags="-f /etc/natd.conf"And finaly the confs:
/etc/natd.cond:
Code:
interface bfe0
use_sockets yes
same_ports yes/etc/ipfw.conf:
Code:
#!/bin/sh
#firewall command
fwcmd=/sbin/ipfw
#interfaces
wan=bfe0
lan=rl0
vpnif=tap0
net0=vlan0
net1=vlan1
net2=vlan2
internal="192.168.20.0/24,192.168.60.0/24,192.168.80.0/24"
external="99.99.99.99/27"
vpnnet="192.168.10.0/24"
fw="skipto 1000"
nat_in="skipto 2000"
nat_out="skipto 5000"
cs="skipto 3000"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
#Setup incoming and outgoing pipes
$fwcmd pipe 20 config bw 640Kbit/s
$fwcmd pipe 60 config bw 640Kbit/s
$fwcmd pipe 80 config bw 640Kbit/s
$fwcmd add divert natd ip from any to any
$fwcmd add pipe 20 ip from 192.168.20.0/24 to 99.99.99.99/27 out
$fwcmd add pipe 60 ip from 192.168.60.0/24 to 99.99.99.99/27 out
$fwcmd add pipe 80 ip from 192.168.80.0/24 to 99.99.99.99/27 out
#Firewall Rullezzzz
$fwcmd add 1185 allow icmp from 99.99.99.99 to any in recv bfe0
$fwcmd add 1190 deny icmp from any to any in recv bfe0So far, so good. Everything is working perfect so far. The trouble is that when I reboot my system, the NAT-ing just stop. I am not sure if the problem is in the NAT, or it is in the IP Forwarding. However the firewall rules are loaded (checked with cmd ipfw show) , the natd(8) daemon is running, but hosts behind the server are not able to reach other networks.
I fix it with:
# /etc/rc.d/ipfw restart
After I execute this, the firewall rulles remains the same. ipfw show gives the same output.
This for sure read the same config file, also restart natd(8) and read the same natd.conf. But after restarting manualy the ipfw, everything works fine.
After few reboots, I got tired and put this in /etc/rc.local. And also no problem, now when system boot, everything works fine.
However I want to know if anybody else had the same issue and did you find another better solution. Because I know that /etc/rc.local is very ugly work around and shouldn't be used. I want to know where is the problem because the config files are the same and the firewall rules are the same, but something doesn't work right after boot.
Thank you.