nat and dynamic external address

Sun Aug 8 05:31:00 UTC 2010

On Thu, 5 Aug 2010, Michael wrote:

 > Am I right thinking that "if interface" and "reset" parameters should be
 > enough to handle changing address (DHCP) on external interface?

In theory.

 > My rules:
 > 
 > ipfw -q nat 1 config reset if $if_ext log same_ports
 > ipfw -q add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid
 > ipfw -q add nat 1 udp from $dns to me in recv $if_ext
 > 
 > They works fine only when $if_ext gets it's IP address during system boot-up.
 > If DHCP server is unavailable at the time of rules loading then ipfw says:
 > 
 > ipfw: cannot get interface name
 > 
 > (The same happens without "SYNDHCP" option for ipfw in rc.conf)
 > It loads all rules anyway. Now after DHCP becomes available and $ext_if gets
 > it's IP address it turns out that NAT is still not working. I have to
 > manually reload the same ruleset.
 > 
 > Any ideas how to solve that problem?

Michael, you're only releasin snippets of information at a time.  This 
came from a discussion in freebsd-jail, and it was my advice to post to 
-ipfw rather than -jail if became more complicated:
http://lists.freebsd.org/pipermail/freebsd-jail/2010-August/001348.html

Only in your later message to -jail and your post to -questions quoted 
below here did you reveal that this involved a wlan interface, and your 
issue with your access point / DHCP server being offline when you boot 
(which perhaps suggests a "then don't do it that way" solution?)

======= from freebsd-questions digest =======
Date: Wed, 04 Aug 2010 20:25:42 +0100
From: Michael <mlmichael70 at gmail.com>
Subject: ipfw and changing IP address (dhcp)
To: freebsd-questions at freebsd.org
Message-ID: <4C59BEB6.8050101 at gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Hello,

I'm using ipfw on my laptop running 8.1R amd64. IP address of it's
external interface (wlan0) is assigned by DHCP server on home broadband
access point.

Everything works fine when access point is up and running but if I boot
my FreeBSD laptop when access point (DHCP server) is down then obviously
my laptop gets no IP. ipfw complains that it "cannot get interface name"
and loads firewall rules anyway.

Now after some time access point becomes available and freebsd gets IP
address automatically but I still have to manually reload the same ipfw
ruleset to get internet access.

I am using "me" in all of my firewall rules for example:
$cmd 20010 allow icmp from me to any out via $if_ext keep-state

Is there anything I have forgotten about? Or ipfw simply can't handle
such situations?
=======

I know only what I've read about setting up wlan interfaces (no wireless 
here since FreeBSD 5.5 days) so I can't say whether or not you could 
successfully configure it with an initial IP address before DHCP assigns 
one as you can with a normal ethernet interface, which might address the 
issue of wlan0 having no address while loading your ipfw ruleset?

So whether this really points to a bug in ipfw nat (re not resetting NAT 
rules when interface address changes) or whether this is some issue with 
wlan, or wlan config (possibly involving what we haven't yet seen, maybe 
either dhclient and/or wpa_supplicant config) I won't dare to speculate.

I _can_ say that if you provide specific information (relevant rc.conf 
settings, all wlan and dhclient config, ifconfig and netstat information 
at the time the problem occurs) as well as purely verbal descriptions, 
you'll have a better chance of someone spotting the problem, which while 
not discounting the possibility of a bug, seems likely a config issue.

cheers, Ian