IPFW NAT64 changed 11.2 --> 11.3?
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Jun 26 09:50:23 UTC 2019
On 26.06.2019 11:05, Patrick M. Hausen wrote:
> Hi all,
>
> we have a bit of a problem with some new servers that
> use NAT64 to access certain services that offer only
> legacy IP - like github.
>
> As far as I found the respective NAT64 gateways (in jails
> with VNET) are configured identically except for the
> particular addresses, of course.
>
> Yet, 11.2 works, 11.3-RC1 doesn’t> Any hints welcome.
Check the output of the following commands on both translators:
# sysctl net.inet.ip.fw | grep nat64
# ipfw nat64lsn all list
# ipfw nat64lsn NAT64 stats
# ipfw nat64lsn NAT64 config log
# ifconfig ipfwlog0 create
# tcpdump -nvi ipfwlog0
Check the counters of rules with nat64lsn action, probably you use
netisr output (default mode) and have traffic loops, i.e. a packet
captured by NAT64 instance several times.
Your rules looks like direct output is preferable for you (try to set
net.inet.ip.fw.nat64_direct_output=1).
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190626/3ddb7282/attachment.sig>
More information about the freebsd-net
mailing list