natd or ipnat + ipfw +ipf

O

oliwiak82

Hi

I have a problem with this configuration:

When i use natd + ipfw + ipf all works fine, but i want to use ipnat + ipfw + ipf -> this configuration works(ping+masquarade..etc.), but not everything: when i play starcraft i got big delay and lag... this not happens when i use natd + ipfw + ipf configuration, so the hardware is OK.

uname -a
FreeBSD forteca.*** 7.1-RELEASE FreeBSD 7.1-RELEASE #1: Mon Apr 1 00:27:31 CEST 2002 root@forteca.***:/usr/obj/usr/src/sys/FORTECA i386


# Internet firewall
options DUMMYNET
options HZ=2000
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_FORWARD #packet destination changes
#options IPFIREWALL_FORWARD_EXTENDED #all packet dest changes
options IPDIVERT #divert sockets
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_LOOKUP #ipfilter pools
options IPSTEALTH #support for stealth forwarding


gateway_enable="YES"
hostname="forteca.****"
ifconfig_rl0="DHCP"
ifconfig_rl1="inet 10.10.10.1 netmask 255.255.255.0"


ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"

firewall_enable="YES"
firewall_type="/etc/ipfw.rules"

ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"

#natd_enable="YES"
#natd_interface="rl0"
#natd_flags="-f /etc/natd.conf"




File: ipf.rules
pass in quick all
pass out quick all

File: ipfw.rules
ipfw -q -f pipe flush
ipfw -q -f queue flush
ipfw -q -f flush
ipfw -q zero

File: ipnat.rules
map rl0 10.10.10.2/32 -> 192.168.1.1/32 proxy port ftp ftp/tcp
map rl0 10.10.10.2/32 -> 192.168.1.1/32 portmap tcp/udp 40000:60000
map rl0 10.10.10.2/32 -> 192.168.1.1/32
rdr rl0 192.168.1.1/32 port 6112 -> 10.10.10.2 port 6112 tcp/udp


File: natd.conf
interface rl0
use_sockets yes
same_ports yes
dynamic yes


any ideas where is the problem?
 
should be :

File: ipnat.rules
map rl0 10.10.10.2/32 -> 192.168.1.7/32 proxy port ftp ftp/tcp
map rl0 10.10.10.2/32 -> 192.168.1.7/32 portmap tcp/udp 40000:60000
map rl0 10.10.10.2/32 -> 192.168.1.7/32
rdr rl0 192.168.1.7/32 port 6112 -> 10.10.10.2 port 6112 tcp/udp
 
Why are you running multiple packet filters?

Either use ipfw or pf (ipf is pretty much dead in FreeBSD 5+, especially on SMP systems). Both ipfw and pf have in-kernel NAT features (FreeBSD 7+ for ipfw).

You really don't want to have all the extra overhead of processing every network packet through multiple packet filters.
 
I still have issuses with this problem. Findlly i have found with rule is making problem;

map rl0 10.10.10.2/32 -> 192.168.1.1/32 proxy port ftp ftp/tcp

when i # that rule all works fine. Do i realy need this ? and what can causes this problem.How to debug?
 
First things first: pick 1 packet filter (IPFW, PF, or IPF)

You're still running three separate packet filters, that will be picking up the packets in a random order, and applying different filtering policies to them.

Pick 1. And only edit a rules file for that 1.

For example: if you are using PF, then you don't need ipnat.rules as PF does all the NAT config in the same rules file as the packet filter rules. You also don't need a natd.conf for PF.

Or, if you want to use IPFW, then you don't need the pf.rules or ipnat.rules. And if you are using FreeBSD 7.x, you don't even need a natd.conf.
 
Hi
My configuration looks like this now:

Code: 
gateway_enable="YES"
hostname="hostname.domain"
ifconfig_rl0="DHCP"
ifconfig_rl1="inet 10.10.10.1 netmask 255.255.255.0"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"

uname -a
Code: 
FreeBSD hostname.domain 7.1-RELEASE-p5 FreeBSD 7.1-RELEASE-p5 #1: Fri Apr 24 20:27:16 CEST 2009

Code: 
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=5
options         IPFIREWALL_FORWARD
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT
options         DUMMYNET
options         HZ=1000


# i need this to enable ipnat (see ->http://www.freebsddiary.org/ipnat.php)
Code: 
options         IPFILTER
options         IPFILTER_LOG
options         IPFILTER_LOOKUP
options         IPSTEALTH


ipfw show
Code: 
00100      96       6036 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
65535 6778302 4898982546 allow ip from any to any


cat ipnat.rules
Code: 
#map rl0 10.10.10.2/32 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#map rl0 10.10.10.2/32 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map rl0 10.10.10.2/32 -> 0.0.0.0/32


I have tested starcraft battlenet game and when i hash this "map rl0 10.10.10.2/32 -> 0.0.0.0/32 proxy port ftp ftp/tcp" all lag and delay is gone... i feel this lag only in starcraft... other services works good (or i dont feel any dalay).

may be i have to disable this "options IPDIVERT" ?what do you think.
 
You still have 2 firewall stacks (IPFILTER+IPFIREWALL).. Pick ONE!
 
http://www.phildev.net/ipf/IPFfreebsd.html#freebsd12
# How do I use the FreeBSD traffic shaper dummynet(4) with IPF?

Dummynet is closely tied to ipfw(8) and is not supported by IPF. Darren suggests the use of the ALTQ traffic shaper instead. It is possible to use IPFW and IPF together, e.g. using IPFW for dummynet and IPF for filterning and NAT, see below.

# Which is better/faster/cool/etc., IPF of IPFW?

IPF and IPFW are close enough in speed that it is not an issue. As far as which is better, this is something only you can answer. Each is different and appropriate for it's own application. Asking this indicates you have not done enough research into these two tools. Find out as much as you can about both, try both, and decide which is best for you.

# IPF and IPFW both have features I want to use, must I choose between them?

No. You can run them both on a single machine. However, you must take care to ensure that one package's rules do not interfere with the other's. Note that the packages get access to rules in the order in which they were loaded, e.g. if IPFW is compiled in the kernel and IPF is loaded as a module, IPFW "sees" packets before IPF.
Click to expand...

You still think that i MUST pick one..?
 
Just because it's possible to run multiple packet filters, doesn't mean it's something you should do. The three packet filters work in different way, connect into different places in the FreeBSD network stack, process packets at different times, and handle NAT in very different ways.

Pick one. Configure one. Make one work. Then decide if you need or want to use another one.

But do 1 thing at a time.
 
I'v played more with this and i observe this:

When i use AAA.BBB.CCC.DDD (wan ip) lag is gone.
Code: 
map rl0 10.10.10.2/32 -> AAA.BBB.CCC.DDD/32 proxy port ftp ftp/tcp
map rl0 10.10.10.2/32 -> AAA.BBB.CCC.DDD/32 portmap tcp/udp 40000:60000
map rl0 10.10.10.2/32 -> AAA.BBB.CCC.DDD/32

also i have been google alot about "ipnat redirect rdr port range" and could not find easy information. So i will post here for everybody. (I know you can easy find that in manual but i couldn't soooo..)

Code: 
#starcraft port redirect
rdr rl0 aaa.bbb.ccc.ddd/32 port 6110-6120 -> 10.10.10.2 port 6110 tcp/udp
or
rdr rl0 0.0.0.0/[B][SIZE="4"]0[/SIZE][/B] port 6110-6120 -> 10.10.10.2 port 6110 tcp/udp

P.S
Maybe you have right about picking one nat.. but i want to use ipnat advantage (preformance and configuration) over natd and need dummynet to..
 
You must log in or register to reply here.
Back
Top