# IPFW kernel nat problem FreeBSD 8.1 release



## apanas (Aug 11, 2010)

Hello
I upgraded my freebsd 8.0 box to 8.1 and now have a problem with IPFW kernel nat:
config of nat 1 is


```
ipfw nat 1 config if fxp2 log deny_in same_ports reset
```

sysctl -a|grep one_pass

```
net.inet.ip.fw.one_pass: 1
```

rule body of natting:


```
...
  20700 nat 1 ip from any to any via fxp2
  29900 deny ip from any to any
```

In 8.0 release these rules work fine, 


```
20700 12221 1314739 nat 1 ip from any to any via fxp2
   29900     0       0 deny ip from any to any
```
but in 8.1 all packets matched with rule 20700 not leave firewall  

and continue move to rule 29900


```
20700   0 5847 nat 1 ip from any to any via fxp2
   29900   0 6023 deny ip from any to any
```

Any idea?

Thanks a lot


----------



## apanas (Aug 12, 2010)

I was try replace in rule body ip to ip4 (kern/148827)


```
nat 1 ip4 from any to any via fxp2
```

all the same, not help
:q


----------



## wowan400 (Aug 30, 2010)

I have a similar problem as solved?


----------



## romeor (Aug 31, 2010)

hello, apanas
if Your problem is not yet solved, i could try to help You.
give us here the interfaces names and which are lan/wan. at this point it is misunderstood.


----------



## apanas (Aug 31, 2010)

Not solved. fxp2 is wan interface.On lan interface all allowed.
Before nat rule i have:
allow all from any to any via em0


----------



## romeor (Aug 31, 2010)

try to place the rule 
allow all from any to any via em0
after the nat rule, just above the 
deny ip from any to any


----------



## apanas (Sep 1, 2010)

romeor said:
			
		

> try to place the rule
> allow all from any to any via em0
> after the nat rule, just above the
> deny ip from any to any



This problem is not in order of rules.
This rule is not after, but before nat rule, and it is correct.
All configuration of firewall on freebsd 7.1 work correct.


----------



## apanas (Sep 1, 2010)

apanas said:
			
		

> All configuration of firewall on freebsd 7.1 work correct.


And on freebsd 8.0 too.


----------



## romeor (Sep 1, 2010)

well, its true. i could get ur configuration working too. but try this way of nat definition:


```
NatIP="" (Your External card IP address)
ipfw nat 1 config ip ${NatIP} log
#ipfw add nat 1 ip from 192.168.2.0/24 to any
#ipfw add nat 1 ip from 192.168.3.0/24 to any
ipfw add nat 1 ip from ${nated_lans} to any
ipfw add nat 1 ip from any to ${NatIP}
```

this way i managed to get it working
it seems some kind of a bug, as i didnt manage to get it working with this kind of nat definition:


```
ipfw nat 1 config if em1 log deny_in
ipfw add nat 1 ip from ${nated_lans) to any via em1
```
these 2 definitions are generally same, but 2nd way seems to be not working


----------



## romeor (Sep 1, 2010)

well, i got it working without deny_in in nat rule. give it a try.


----------



## apanas (Sep 2, 2010)

```
ipfw nat 1 show conf
ipfw nat 1 config ip xxx.xxx.xxx.xxx log same_ports reset
```
without deny_in, instead of name of interface-ip address and... not working


```
20700  2  137 nat 1 ip from any to any via fxp2  
29900  2  137 deny ip from any to any
```


----------



## romeor (Sep 2, 2010)

sorry, i cant help you anymore, as i've got  it working. i think you should try to review Your rules to find a bug.


----------



## apanas (Sep 2, 2010)

romeor said:
			
		

> sorry, i cant help you anymore, as i've got  it working. i think you should try to review Your rules to find a bug.



If this set of rules work on freebsd 7.2 and 8.0 absolutely correct...what kind of bug i can find? 

Thank you.


----------



## DutchDaemon (Sep 2, 2010)

apanas, please (re)read http://forums.freebsd.org/showthread.php?t=8816 to learn how to apply proper formatting. Esp. the [cmd] tag works differently.


----------



## romeor (Sep 3, 2010)

apanas said:
			
		

> If this set of rules work on freebsd 7.2 and 8.0 absolutely correct...what kind of bug i can find?
> 
> Thank you.


It only means, that after update there were some logical changes, so re-viewing own rules is always a good idea after update


----------



## terminus (Sep 4, 2010)

It may be a problem related to sysctl one_pass in 8.1 - it do not works with nat (and other sybsystems as well) as expected... I'm to got this king of troubles after upgrading from 7 to 8.

There is a couple of bugreports in maillists, so people in ipfw@ team should be aware of this bug... I hope...


----------



## blackjack (Sep 15, 2010)

hi
Yes I too recently find this "feature" in 8.1. So, solution is


```
01370  967282663  551608705853 nat tablearg ip from table(22) to any via em0 out
01380 1093220611 1011316253622 nat tablearg ip from any to table(23) via em0 in
[B]01400 2059912550 1562662531102 allow ip from any to any via em0[/B]
```


----------



## romeor (Sep 16, 2010)

ipfw kernel nat sux in freebsd  if you make more than 19 port forwards, you will receive  an error in log about fulled buf mem and to solve this, you have to hack ipfw source and recompile the ipfw self and the kernel once more. i find this problematic, if you use some kind of amd k6 650 mhz, 64 kb cache and 160 ram for routing. i had to refuse using it until this "feature" is fixed.


----------



## terminus (Sep 18, 2010)

There is PR about this problem:
http://www.freebsd.org/cgi/query-pr.cgi?pr=143653

unfortunately nobody in ipfw@ care's


----------

