RE: Help with NAT

Steve,
Unfortinatly the development and production servers are windows
running IIS. However, I have tried the following two experiments:
1.) using IIS's logs I am able to see all hits to development and production
servers. When I visit the development server through the FreeBSD NAT box I
see an entry in the IIS log. However, on the production server there is no
entry.
2.) Using IPFW on the NAT box I logged all traffic in and out of both
interfaces. The following is what gets recorded for a successful ht to the
development server:
xl1 is the external interface, xl0 is the internal interface,
xxx.xxx.xxx.142 is the comp I was browsing from.
-------------------------------------
ipfw: 200 Divert 8668 TCP xxx.xxx.xxx.142:1345 xxx.xxx.xxx.141:6502 in via
xl1
ipfw: 401 Accept TCP xxx.xxx.xxx.142:1345 192.168.0.100:80 in via xl1
ipfw: 401 Accept TCP xxx.xxx.xxx.142:1345 192.168.0.100:80 out via xl0
ipfw: 301 Accept TCP 192.168.0.100:80 xxx.xxx.xxx.142:1345 in via xl0
ipfw: 200 Divert 8668 TCP 192.168.0.100:80 xxx.xxx.xxx.142:1345 out via xl1
ipfw: 502 Accept TCP xxx.xxx.xxx.141:6502 xxx.xxx.xxx.142:1345 out via xl1
-------------------------------------
And this is what I see when I try the production server:
-------------------------------------
ipfw: 200 Divert 8668 TCP xxx.xxx.xxx.142:1350 xxx.xxx.xxx.141:6503 in via
xl1
ipfw: 402 Accept TCP xxx.xxx.xxx.142:1350 192.168.0.241:80 in via xl1
ipfw: 402 Accept TCP xxx.xxx.xxx.142:1350 192.168.0.241:80 out via xl0
-------------------------------------

At first I thought it might be the production server but I tried another
experiment where I pointed NAT to an IP that is currently working fine
through another NAT box and that didn't work either, so I'm not sure what
the problem is.

-Scott


-----Original Message-----
From: owner-freebsd-questions@xxxxxxxxxxx
[mailto:owner-freebsd-questions@xxxxxxxxxxx] On Behalf Of Steve Bertrand
Sent: Friday, September 18, 2009 5:18 PM
To: SElgram@xxxxxxxxxxxxxx
Cc: freebsd-questions@xxxxxxxxxxx
Subject: Re: Help with NAT

Scott Elgram wrote:
Hello,

I am at my wits end with this one. I have set up a box to use
of firewall/nat. However, during the setup I pointed set net to do a port
redirect of port 6502 to port 80 of my development web server. Everything
worked fine so I deployed my new box onto a live IP and tested it again
with
the same redirect to my dev server. Still, everything works fine so I
changed /etc/natd.conf to point to my production web server and it won't
work. I have tried everything that I can think of to narrow down this
issue
but I just can't figure it out. I pointed everything back to my dev
server
and it's still working. I changed the dev servers IP and changed nat to
point to the new IP and it still works. It would see that nat will work
only with my dev server and no other computer.



Can anyone offer any suggestions, I'm sure I'm missing something basic.

On the production server, after you've got things pointed to it:

# tcpdump -n -i em0 port 80

...where em0 is the interface.

Send a request through from the outside, and verify that you can see the
HTTP request come in to the production box, and go back out again. It
should look like the following. Note that these are v6 addrs not v4, but
the result is the same. In the first packet, 5 -> b6 is request in, and
b6 -> 5 is response back. You 'should' see the same result, but with
your v4 addresses instead.

pearl# tcpdump -n -i em0 port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
20:09:52.912361 IP6 2607:f118::5.1752 > 2607:f118::b6.80: S
3408461679:3408461679(0) win 16384 <mss 1440>

20:09:52.912425 IP6 2607:f118::b6.80 > 2607:f118::5.1752: S
1781312333:1781312333(0) ack 3408461680 win 65535 <mss 1440>

...whether you see the packets come in or not, post back with your findings.

Do you perhaps have to 'restart' natd in order to release any sort of
caching?

STeve


_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: NAT without DHCP? (w2k3)
    ... My guess is that you have not configured the public interface correctly. ... How does your server connect to the Internet? ... set to the private address of the NAT machine? ...
    (microsoft.public.windows.server.networking)
  • Re: cisco static nat
    ... so your setup would route traffic looking for a server at 85.86.87.2 to ... ip nat inside source route-map nonat interface Dialer0 overload ... ip nat inside source static 192.168.1.1 85.86.87.1 route-map nonat ... no ip directed-broadcast ...
    (microsoft.public.windows.server.networking)
  • Re: FIREBOX II IP CONFIGURATION
    ... If your web server is in the DMZ at 192.168.3.100 you need to create ... ANY traffic from the Trusted to the Optional network, ... The firewall will not NAT traffic from inside the ... Trusted interface out through the External Interface and then back into ...
    (comp.security.firewalls)
  • Re: NAT without DHCP? (w2k3)
    ... How does your server connect to the Internet? ... I also enabled NAT tracing - may be this can help? ... interface 65543 not found ...
    (microsoft.public.windows.server.networking)
  • Re: NAT without DHCP? (w2k3)
    ... the private address of the NAT machine? ... I also enabled NAT tracing - may be this can help? ... right-click on my public interface, I see "Address pool" tab but it ... server, just leave the area for IP addresses blank", what do you ...
    (microsoft.public.windows.server.networking)