Привет Всем
Есть # uname -a
FreeBSD nas1 7.1-RELEASE-p3 amd64
На нем стоит pf-nat для НАТА и ipfw для ограничения скорости, mpd5.2. Все было хорошо, но сейчас пользователи не могут поиграть по сети, так как по какой-то причине соединение не происходит. Если поставить Его как шлюз, то так же не работает тот же КС онлайн. Так что проблема в pf natНА клиентском соеденении (клиент - впн сервер)
nas1# tcpdump -n -ing72 host cs4.hotpoint.org.ua
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng72, link-type NULL (BSD loopback), capture size 96 bytes
17:56:32.823661 IP 10.200.254.21.27005 > 213.169.71.173.27015: UDP, length 23
17:56:38.825972 IP 10.200.254.21.27005 > 213.169.71.173.27015: UDP, length 23
17:56:44.855313 IP 10.200.254.21.27005 > 213.169.71.173.27015: UDP, length 23
17:56:50.897638 IP 10.200.254.21.27005 > 213.169.71.173.27015: UDP, length 23
^C
4 packets captured
485 packets received by filter
0 packets dropped by kernelТрафф на сервер идет
nas1# tcpdump -n -ivlan20 host cs4.hotpoint.org.ua
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan20, link-type EN10MB (Ethernet), capture size 96 bytes
21:16:25.660462 IP 91.203.143.ХХХ.62180 > 213.169.71.173.27015: UDP, length 23
21:16:25.682948 IP 213.169.71.173.27015 > 91.203.143.ХХХ.62180: UDP, length 27
21:16:31.657390 IP 91.203.143.ХХХ.62180 > 213.169.71.173.27015: UDP, length 23
21:16:31.680387 IP 213.169.71.173.27015 > 91.203.143.ХХХ.62180: UDP, length 27
21:16:37.656497 IP 91.203.143.ХХХ.62180 > 213.169.71.173.27015: UDP, length 23
21:16:37.673141 IP 213.169.71.173.27015 > 91.203.143.ХХХ.62180: UDP, length 27
21:16:43.666777 IP 91.203.143.ХХХ.62180 > 213.169.71.173.27015: UDP, length 23
21:16:43.686519 IP 213.169.71.173.27015 > 91.203.143.ХХХ.62180: UDP, length 27
^C
8 packets captured
331051 packets received by filter
0 packets dropped by kernelnas1# cat pf.conf|grep -v #
ext_if="vlan20"
ext_if2="em0"
int_if="vr0"
table <local> { !192.168.0.0/16, !172.16.0.0/12, !10.0.0.0/8 }
table <inat> { 10.200.24.6 }
table <ext_ip> { 172.19.19.2,192.168.1.2 }
scrub in
set skip on lo0
nat on $ext_if from <inat> -> {$ext_if:0}
pass all
nas1# ipfw show
00001 1 73 deny ip from not 10.0.0.0/8 to me dst-port 3306,1812,1813
00002 60745 3118328 deny ip from not 10.0.0.0/8 to me dst-port 1723
00003 0 0 deny ip from not 10.0.0.0/8 to me dst-port 5005
00004 86 4284 deny ip from any to 192.168.0.0/18
00005 28 1492 deny ip from any to 192.168.0.0/16
00006 280034 25068985 deny ip from any to any dst-port 137-141
00007 121216 8800085 allow icmp from any to any
00011 0 0 pipe 11 ip from not 10.0.0.0/8 to table(11) in
00011 0 0 pipe 11 ip from table(11) to not 10.0.0.0/8 out
00012 0 0 pipe 12 ip from not 10.0.0.0/8 to table(12) in
00012 0 0 pipe 12 ip from table(12) to not 10.0.0.0/8 out
00013 0 0 pipe 13 ip from not 10.0.0.0/8 to table(13) in
00013 0 0 pipe 13 ip from table(13) to not 10.0.0.0/8 out
00014 0 0 pipe 14 ip from not 10.0.0.0/8 to table(14) in
00014 0 0 pipe 14 ip from table(14) to not 10.0.0.0/8 out
00015 539496 671724574 pipe 15 ip from not 10.0.0.0/8 to table(15) in
00015 368345 53393119 pipe 15 ip from table(15) to not 10.0.0.0/8 out
00016 9996659 10163340739 pipe 16 ip from not 10.0.0.0/8 to table(16) in
00016 8759833 3224872714 pipe 16 ip from table(16) to not 10.0.0.0/8 out
00017 0 0 pipe 17 ip from not 10.0.0.0/8 to table(17) in
00017 0 0 pipe 17 ip from table(17) to not 10.0.0.0/8 out
00018 1032708 1063799760 pipe 18 ip from not 10.0.0.0/8 to table(18) in
00018 923562 400876557 pipe 18 ip from table(18) to not 10.0.0.0/8 out
00019 0 0 pipe 19 ip from not 10.0.0.0/8 to table(19) in
00019 0 0 pipe 19 ip from table(19) to not 10.0.0.0/8 out
00020 2344 2938589 pipe 20 ip from not 10.0.0.0/8 to table(20) in
00020 1517 156136 pipe 20 ip from table(20) to not 10.0.0.0/8 out
00021 302928 397126297 pipe 21 ip from not 10.0.0.0/8 to table(21) in
00021 196115 12773305 pipe 21 ip from table(21) to not 10.0.0.0/8 out
00022 0 0 pipe 22 ip from not 10.0.0.0/8 to table(22) in
00022 0 0 pipe 22 ip from table(22) to not 10.0.0.0/8 out
00023 0 0 pipe 23 ip from not 10.0.0.0/8 to table(23) in
00023 0 0 pipe 23 ip from table(23) to not 10.0.0.0/8 out
00024 42200989 37883506219 pipe 24 ip from not 10.0.0.0/8 to table(24) in
00024 40257628 19176112715 pipe 24 ip from table(24) to not 10.0.0.0/8 out
00025 6148449 6720238513 pipe 25 ip from not 10.0.0.0/8 to table(25) in
00025 4912818 2047435767 pipe 25 ip from table(25) to not 10.0.0.0/8 out
65535 240774772 167792033666 allow ip from any to any
Походу какие-то проблемы с UDP через нат...
nas1# cat /boot/loader.conf
autoboot_delay="1"
vm.kmem_size=1G
net.inet.tcp.syncache.hashsize=1024
net.inet.tcp.syncache.bucketlimit=100
net.inet.tcp.tcbhashsize=4096#dmesg -a
Copyright (c) 1992-2009 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.1-RELEASE-p3 #9: Sun Feb 22 22:08:47 EET 2009
root@nas1:/usr/obj/usr/src/sys/NAS
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 5400+ (2785.83-MHz K8-class CPU)
Origin = "AuthenticAMD" Id = 0x60fb2 Stepping = 2
Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
Features2=0x2001<SSE3,CX16>
AMD Features=0xea500800<SYSCALL,NX,MMX+,FFXSR,RDTSCP,LM,3DNow!+,3DNow!>
AMD Features2=0x11f<LAHF,CMP,SVM,ExtAPIC,CR8,Prefetch>
Cores per package: 2
usable memory = 2134016000 (2035 MB)
avail memory = 2057895936 (1962 MB)
nas1# cat /etc/sysctl.conf | grep -v #
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
net.link.ether.inet.max_age=1200
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.icmplim=10000
net.inet.tcp.msl=7500
kern.ipc.somaxconn=32768
net.inet.ip.ttl=128
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
net.inet.ip.ttl=128
net.inet.icmp.bmcastecho=0
kern.maxfiles=128000
kern.maxfilesperproc=65000
kern.ipc.maxsockets=204800
kern.ipc.nmbclusters=65536
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65534
net.inet.ip.portrange.randomized=0
net.inet.ip.fastforwarding=1
net.inet6.ip6.forwarding=1
net.inet.ip.redirect=1