Bug 215256 - FreeBSD 11.0 Problem with natd
Summary: FreeBSD 11.0 Problem with natd
Status: Closed DUPLICATE of bug 209491
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 11.0-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-net mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-12 20:40 UTC by Don Randolph
Modified: 2017-04-13 03:12 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Don Randolph 2016-12-12 20:40:04 UTC
I'm not really sure where this bug fits as it is a problem with natd/carp.

I have 2 router systems that I just upgraded from 10.3 to 11.0.  Both just basic installs running natd and carp.

When I have the 2 systems up and running one is master and the other is in backup status.  The natd on the backup system is still somehow impacting traffic.  If I go into the backup system and do a /etc/rc.d/natd stop... traffic starts to flow thru the master system again.

All of my other systems point to the carp vip 192.168.32.1 as their default gateway.  The natd is configured on the carp vip of 10.140.241.5.

Here is my configs.  If there is anything else that you need to help troubleshoot this... please let me know.

Thanks

Don

Master rc.conf:

ifconfig_em1="inet 192.168.32.111 netmask 255.255.248.0"
ifconfig_em1_alias0="inet vhid 111 pass ch@ng3m3 alias 192.168.32.1/21"
ifconfig_em2="inet 10.140.241.3 netmask 255.255.255.240"
ifconfig_em2_alias0="inet vhid 120 pass ch@ng3m3 alias 10.140.241.5/28"

defaultrouter="10.140.241.2"

gateway_enable="YES"
firewall_enable="YES"
firewall_logging="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"

natd_enable="YES"
natd_interface="10.140.241.5"
natd_flags="-f /etc/natd.conf"

Master natd.conf:

port 8668
alias_address 10.140.241.5

log_denied yes
deny_incoming no
use_sockets yes
same_ports no
log_ipfw_denied yes

Backup rc.conf:

ifconfig_em1="inet 192.168.32.112 netmask 255.255.248.0"
ifconfig_em1_alias0="inet vhid 111 advskew 50 pass ch@ng3m3 alias 192.168.32.1/21"
ifconfig_em2="inet 10.140.241.4 netmask 255.255.255.240"
ifconfig_em2_alias0="inet vhid 120 advskew 50 pass ch@ng3m3 alias 10.140.241.5/28"

defaultrouter="10.140.241.2"

gateway_enable="YES"
firewall_enable="YES"
firewall_logging="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"

natd_enable="YES"
natd_interface="10.140.241.5"
natd_flags="-f /etc/natd.conf"

Backup natd.conf:

port 8668
alias_address 10.140.241.5

log_denied yes
deny_incoming no
use_sockets yes
same_ports no
log_ipfw_denied yes
Comment 1 Don Randolph 2016-12-13 00:19:40 UTC
Looking at top... the natd process on both servers spike to around 100% when both servers are running natd.  natd drops to around 1% when you stop the service on the other server.

Thanks
Comment 2 Don Randolph 2017-04-12 16:27:29 UTC
Has anyone looked into this yet... it is still a problem on 11.0-RELEASE-p9.
Comment 3 Eugene Grosbein freebsd_committer 2017-04-12 18:46:14 UTC
(In reply to Don Randolph from comment #2)

Your problem may be related to this one: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209491

Please try workaround mentioned there - add following rule to your ipfw ruleset:

${fwcmd} add 51 deny ip from any to any out recv ${natd_interface} xmit ${natd_interface} diverted
Comment 4 Don Randolph 2017-04-12 21:09:07 UTC
That looks like it has done the trick... thank you so much.  Is this going to be the permanent fix or just a temporary work around?
Comment 5 Eugene Grosbein freebsd_committer 2017-04-13 03:10:54 UTC
(In reply to Don Randolph from comment #4)

That's temporary workaround until Someone(TM) fix the breakage.
Comment 6 Eugene Grosbein freebsd_committer 2017-04-13 03:12:56 UTC
Carp seems unrelated to the problem but a pair of natd instances in the same broadcast domain are.

*** This bug has been marked as a duplicate of bug 209491 ***