Re: NAT works but port redirection does not work on IPNAT and PF

• Previous message: Zeno Lee: "NAT works but port redirection does not work on IPNAT and PF"
• In reply to: Zeno Lee: "NAT works but port redirection does not work on IPNAT and PF"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 15 Dec 2004 21:18:07 +0300
To: "Zeno Lee" <zeno_lee@hotmail.com>

Hello Zeno,

Check your default gateway on 192.168.1.54.

It seems to be 192.168.1.1 instead of 192.168.168.55:
12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54

Wednesday, December 15, 2004, 9:10:21 PM, Zeno Lee wrote:

ZL> It seems I've somehow didn't set up my freebsd gateway properly. I am
ZL> trying to use my FreeBSD server as a NAT with port redirection. NAT works
ZL> fine, but when I use port redirection to redirect requests from my external
ZL> interface em0 160.79.174.98:80 the request makes it to my internal web
ZL> server 192.168.1.54 but the response is not being returned back out to the
ZL> requester. I've tried both PF and IPFILTER and they both have the same
ZL> issue.

ZL> Here is my setup:

ZL> Internet ----- 24.215.185.142 (External web requester)
ZL> |
ZL> |
ZL> em0 (160.79.174.98/29)
ZL> FreeBSD 5.3 STABLE (PF, ALTQ compiled, gateway_enabled)
ZL> em1 (192.168.1.55/24)
ZL> |
ZL> |
ZL> LAN -- Web Server (192.168.1.54)
ZL> |
ZL> |---- NAT client (192.168.1.100) access internet
ZL> fine

ZL> I've done the dumps and

ZL> # tcpdump -n -i em0 dst host 160.79.174.98 and tcp dst port 80
ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
ZL> listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
ZL> 12:51:57.118746 IP 24.215.185.142.1343 > 160.79.174.98.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:00.153017 IP 24.215.185.142.1343 > 160.79.174.98.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:06.167832 IP 24.215.185.142.1343 > 160.79.174.98.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>

ZL> # tcpdump -n -i em1 host 192.168.1.54
ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
ZL> listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
ZL> 12:51:57.118772 IP 24.215.185.142.1343 > 192.168.1.54.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54
ZL> 12:52:00.153045 IP 24.215.185.142.1343 > 192.168.1.54.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:06.167855 IP 24.215.185.142.1343 > 192.168.1.54.80: S
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>

ZL> I don't think my port forwarding setup in IPFILTER nor PF are the cause but
ZL> I've listed it just in case

ZL> /etc/pf.conf
ZL> nat on em0 from em1:network to any -> (em0)
ZL> rdr on em0 proto tcp from any to em0 port 80 -> 192.168.1.54 port 80

ZL> My IPFILTER rule is just as simple
ZL> /etc/ipnat.conf
ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80

ZL> # ipnat -l
ZL> List of active MAP/Redirect filters:
ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 tcp
ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto

ZL> List of active sessions:
ZL> RDR 192.168.1.54 80 <- -> 160.79.174.98 80 [24.215.185.142 1332]
ZL> _______________________________________________
ZL> freebsd-net@freebsd.org mailing list
ZL> http://lists.freebsd.org/mailman/listinfo/freebsd-net
ZL> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

-- 
Best regards,
;  Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:nkritsky@star-sw.com
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Zeno Lee: "NAT works but port redirection does not work on IPNAT and PF"
• In reply to: Zeno Lee: "NAT works but port redirection does not work on IPNAT and PF"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages re(4) problem ... the machine does not reply to a icmp echo requests to the re ... When I try to ping some remote host over rebased card I get: ... 20:30:20.945662 arp who-has 85.10.197.188 tell 85.10.197.161 ... When I run ifconfig re0 down, the devices doesn't go down unless I ... (freebsd-current) How to make transparent proxys source ip NOT unique ? ... where the BOX is inserted between Clientand its Gateway ... we REDIRECT all client's incoming requests (related to some ... The filter program will talk to the orginal server instead ... Is it possible that the BOX still filters clients' packets, ... (comp.os.linux.networking) Checking FC2 Iptables firewall config for PPPoE-enabled Gateway ... I completed setting up an FC2-enabled server as a home gateway. ... Stock FC2 Iptables looks like this: ... -A FORWARD -j RH-Firewall-1-INPUT ... requests were possible using domain names. ... (Fedora) Checking FC2 Iptables firewall config for PPPoE-enabled Gateway ... I completed setting up an FC2-enabled server as a home gateway. ... Stock FC2 Iptables looks like this: ... -A FORWARD -j RH-Firewall-1-INPUT ... requests were possible using domain names. ... (comp.os.linux.networking) Checking FC2 Iptables firewall config for PPPoE-enabled Gateway ... I completed setting up an FC2-enabled server as a home gateway. ... Stock FC2 Iptables looks like this: ... -A FORWARD -j RH-Firewall-1-INPUT ... requests were possible using domain names. ... (linux.redhat)