NAT64 return traffic vanishes after successful de-alias

John W. O'Brien john at saltant.com
Sat Dec 14 22:35:45 UTC 2019 

On 2019/12/14 17:15, Chris wrote:
> On Sat, 14 Dec 2019 14:54:26 -0500 John W. OBrien john at saltant.com said
> 
>> Hello FreeBSD Networking,
>>
>> As the subject summarizes, I have a mostly-working NAT64 rig, but return
>> traffic is disappearing, and I haven't been able to figure out why. I
>> observe the post-translation (4-to-6) packets via ipfwlog0, but a simple
>> ipfw counter rule ipfw matches nothing.
>>
>> My attempt to develop a minimum reproducible example failed in the sense
>> that I did not reproduce the problem. Of course, this implies that one
>> of the many differences between the simplified test (EC2 instance, two
>> jails) and the problem rig (physical server, lagg, vlans, other things
>> going on) is the cause.
>>
>> What I am hoping this list can help me with is being smart about what I
>> try next. Otherwise, I would probably just try to brute force a solution
>> by thinking of ways to permute the config that would rule each possible
>> difference in or out.
>>
>> So far my main troubleshooting tools have been ipfw for its rule
>> counters and nat64lsn stats output, netstat to look at fibs, and tcpdump
>> pointed at real and diagnostic interfaces. What debugging tools and
>> techniques should I employ to do better than brute force?
>>
>> If it would help, I would gladly share the working, EC2/jail demo
>> configs on the list. Sharing the non-working configs I would prefer to
>> do privately or not at all.
>>
>> This is on 12.1-RELEASE.
>>
>> Thank you,
> 
> pf(4) is pretty close to metal, and would probably be a good candidate for
> acquiring the type of statistics your hoping to find; pfctl(8), pfctl -s,
> and pfctl -T are a few examples.

Hi Chris,

Thank you for the suggestion. I think I need a little help understanding
how I would put it into practice though. The nat64lsn module is part of
the ipfw firewall, and pf in FreeBSD hasn't yet picked up a NAT64
capability, so I cannot abandon ipfw in this case. Is the idea to run
ipfw and pf at the same time?

-- 
John W. O'Brien
OpenPGP keys:
    0x33C4D64B895DBF3B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191214/7ede18e1/attachment.sig>

More information about the freebsd-net mailing list