Hello, I am runnning VPN gateways based on openvpn / Freebsd / ipnat. This setup worked flawlessy for years until I upgraded from Freebsd 9 to Freebsd 11.2 or 12.0. Without changing anything in the software setup, some connections are getting dropped, the nat drop count is steadily increasing over time (a few hours from reboot) and most people are complaining about speed issues .... Not good. Hardware is the same, the only thing changed is the O.S version. Kernel is stock kernel with the #define LARGE_NAT in the ip_nat.h. After spending a week trying to chase ghosts, I'm quite puzzled.
@Mike If you could include the full network configuration of the system (as attachments), that would be appreciated. Please sanitize where necessary (openvpn authentication details, ip's, etc). This should include: Is the issue reproducible with a stock (GENERIC) kernel without the LARGE_NAT define? If you haven't tested that, please do.
Created attachment 203582 [details] ipfstat dump
Created attachment 203583 [details] ipnat -s dump
Attached ipnat -s and ipfstat dumps I will try with a genuine kernel without any modifications and let you know if that improves things. What puzzles me is that the environment has not changed a bit. Same openvpn scripts, same nat rules, same hardware and IP addresses .... Thank you :-)
Please try: /sbin/ipf -T nat_maxbucket=2047 This solved it for me (I do have a bunch of ipfilter patches in my 11.2 kernel from Cy Schubert)
Tried your nat_maxbucket increase. It did not help Thanks anyways :-)
Created attachment 203593 [details] ipfstat with stock kernel
Created attachment 203594 [details] ipnat -s with stock kernel Not really better :-)
Well, in a desperate move, I have upgraded to 12.0 and the problem magically disappeared ...
That makes sense, Cy did not back-port all ipfilter patches into 11.2-RELEASE (not sure about 11-STABLE).
Can we identify a set of bugs (PR's) and/or commits that can/should be merged?
11.2-RELEASE does not have nor will it have the ipnat patches applied. You must wait for 11.3-RELEASE, which IIRC should be GA over summer sometime. You can svnup your sources to 11-STABLE, which has the fix, or install the patch directly to your 11.2-RELEASE instead. All ipfilter patches have been MFCed to 11-STABLE and 12-STABLE. Some have been MFCed to 10-STABLE however since -CURRENT has diverged too much from 10-STABLE I an no longer MFCing to it any more. Wait for 11.3-RELEASE.
(In reply to Cy Schubert from comment #12) I understood the request as being for any changes not yet merged (if any were identified), to be merged to stable/11, not releng/11.2 (where only major 'errata/security' bugs are merged). From your comment, that seems that the fix to this issue has already been resolved, and merged to both (11, 12) stable branches, with fixes to be included in 11.3-RELEASE. Do any other PR exist that references the relevant ipnat commits, so this bug can be set to depend on them? With @triage hat: - Set resolution FIXED: with resolution: update to stable/11 or stable/12 - Assign to committer that resolved (thank you Cy!) - Set mfc-* flags to track that resolution was merged to both (11, 12) stable branches
This was merged to stable/12 and stable/11 by r338047 (I merge to stable/11 and stable/12 in the same commit). PR/208566 originally documented this bug and is resolved. This PR is now dependent on that one.