IPNat goes slow on FreeBSD 10.1-release-p5

I recently reinstalled FreeBSD to latest version with same configuration files as previous install (version 9). The FreeBSD box is used as a router / NAT gateway to the Internet. After a fresh reboot the system functions well, however, after a while it gets unstable, requiring several refreshes in the webbrowser to display a website. I have been trying to fix these problem the past few days (tweaking sysctl networking options, deactivating firewall etc.) but have not been able to come up with a solution. I am out of ideas where to look since this exact same configuration worked fine on the previous version of FreeBSD.

ipnat.rules:
Code:
map em0 10.23.0.0/24 -> 213.125.22.131
#map em1 10.23.0.0/24 -> 213.125.22.130
#map em0 192.168.5.0/24 -> 213.125.22.131


# Exchange
rdr em0 0.0.0.0/0 port 443 -> 10.23.0.1 port 443
rdr em0 0.0.0.0/0 port 143 -> 10.23.0.1 port 143
rdr em0 0.0.0.0/0 port 585 -> 10.23.0.1 port 585
rdr em0 0.0.0.0/0 port 993 -> 10.23.0.1 port 993

# Sharepoint
rdr em0 0.0.0.0/0 port 987 -> 10.23.0.1 port 987
rdr em0 0.0.0.0/0 port 8080 -> 10.23.0.1 port 987

# REMS Epsilon
#rdr em0 0.0.0.0/0 port 1443 -> 10.23.0.3 port 443

# L2TP
#rdr em0 0.0.0.0/0 port pptp -> 10.23.0.1 port pptp
#rdr em0 0.0.0.0/0 port l2tp -> 10.23.0.1 port l2tp
#rdr em0 0.0.0.0/0 port 0 -> 10.23.0.1 port 0 gre

# FTP
#map em0 10.23.0.0/24 -> 0/32 proxy port 21 ftp/tcp
#map em0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
Relevant part from rc.conf:
Code:
gateway_enable="yes"
ipnat_enable="yes"
ipnat_rules="/etc/ipnat.rules"
Custom kernel options:
Code:
options  IPSEC
options  IPSEC_NAT_T
device  crypto
options  IPSEC_FILTERTUNNEL
device  enc
options  LIBALIAS
options  IPFILTER
options  IPDIVERT
 
It appears that a temporary remedy is to restart the FreeBSD machine 2x a day. I get the impression that this maybe a bug...
 
Any help from anyone?

I have still not found any solution... I will have no choice but to move to Linux in order to solve this problem before the end of the week.
 
An obvious thing to point out is that IPFilter in 10.x is at version 5 and IPFilter in 9.x was version 4. It seems pretty unlikely that such a simple config would have a regression but the IPFilter change could be a facter. Your config seems trivial enough that trying pf(4) and seeing if that solves the problem would be a significantly easier solution re-installing the system with Linux.
 
I'm glad you got things working well. That seems like an odd one particularly since I don't see any other threads on the issue or any open PR's in Bugzilla. It would be interesting to know what was really going on behind the scenes that caused the issues.
 
I'd be interested in seeing your logs, kernel config file, sysctl -a output, ipf -T list output, ifconfig -a output, rules and NAT rules. Can you send them to me please? I'd also like to hear about your network topology, MTU, etc., and if you have any other firewalls in your network, e.g. I use two firewalls, one being FreeBSD IPF, back to back. (You can reply off-list if you want.)
 
I have exactly same problem. I used a very simple ipnat(8)+ipfw(8) config many years ago and it doesn't work after I switched to FreeBSD 10.2 (from 9.x). Sometimes the new tcp sessions is broken behind the ipnat, and the outside connections too (which are forwarded the ipnat to an inside server). I try to analyse the problem with tcpdump(1): the mentioned packets are arrived the gateway, but never leave to outside. The internal server logs contains many host unreachable and time-out messages. For example here is a simple icmp:

Code:
# ping ftp.freebsd.org
PING ftp.geo.freebsd.org (193.162.146.4): 56 data bytes
36 bytes from 172.20.30.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 8fde   0 0000  40  01 ccab 172.20.30.100  193.162.146.4

36 bytes from 172.20.30.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 8fe2   0 0000  40  01 cca7 172.20.30.100  193.162.146.4

The problem not exist always, sometimes I press ctrl+c, ping again, and it works. :)

The setup is very simple:

outside-----|1.2.3.4 172.20.30.1|-----LAN----|172.20.30.100|

The "outside" interface connects a layer2 datacenter switch, and the switch connects the ISP core router.

/etc/rc.conf:
Code:
ifconfig_em0="inet 1.2.3.4 netmask 0xff000000"
ifconfig_em1="inet 172.20.30.1 netmask 0xff000000"
defaultrouter="1.2.3.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

ipnat_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
firewall_logging="YES"
named_enable="YES"

/etc/ipfw.rules:
Code:
add 1000 allow tcp from any to any established
add 1100 allow ip from me to any
add 2000 allow ip from $my_remote_worksation to any
add 2100 deny tcp from any to any 2255
add 2250 deny tcp from any to any 2256
add 65000 allow ip from any to any

/etc/ipnat.rules:
Code:
map em0 172.20.30.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp age 300
map em0 172.20.30.0/24 -> 1.2.3.4/32 portmap tcp/udp 5100:50000 age 3600
map em0 172.20.30.0/24 -> 1.2.3.4/32

#portforwards
rdr em0 1.2.3.4/32 port 2255 -> 172.20.30.100 port 80 tcp
rdr em0 1.2.3.4/32 port 2256 -> 172.20.30.100 port 22 tcp

ifconfig -a:

Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:d5:c5:06
    inet 1.2.3.4 netmask 0xff000000 broadcast 1.255.255.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:d5:c5:10
    inet 172.20.30.1 netmask 0xff000000 broadcast 172.255.255.255
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

sysctl -a:
http://pastebin.com/0idqreY5

ipf -T list and ipnat -s:
http://pastebin.com/dE6Yqg7E


Many thanks if you investigate!
 
Back
Top