Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 4 Jan 2002 15:37:14 -0500
From:      Joseph Bogner <bognerj@mindspring.com>
To:        freebsd-questions@freebsd.org
Subject:   IPFW/NATD redirect_port problem
Message-ID:  <20020104203714.GA28669@mindspring.com>
next in thread | raw e-mail | index | archive | help 
Hello, I have a problem with natd and ipfw. I am trying to redirect
traffic from my freebsd gateway, 192.168.0.25 to my internal web
server, 192.168.0.1. The freebsd gateway is connected through pppoe to
earthlink on /dev/tun0.

Everything appears to be configured properly, because I can redirect
traffic to external ip's using natd through the following command:
natd -dynamic -redirect_port tcp 165.121.195.x:http http -interface
tun0 -l

But when I attempt to redirect traffic to an internal ip, the connect
just hangs. natd -dynamic -redirect_port tcp 192.168.0.1:http http
-interface tun0 -l

My ipfw configuration is set up properly (as far as I can tell)
because the first natd command works flawlessly.

su-2.05# ipfw list
00100 divert 8668 ip from any to any via tun0
65535 allow ip from any to any

natd also appears to be aliasing the addresses correctly, because when
I run it in verbose mode, I get:

su-2.05# natd -dynamic -redirect_port tcp 192.168.0.1:http http
-interface tun0 -l -v
natd[576]: Aliasing to 165.121.194.x, mtu 1492 bytes
In  [TCP]  [TCP] 165.121.195.x:1896 -> 165.121.194.x:80 aliased to
           [TCP] 165.121.195.x:1896 -> 192.168.0.1:80
In  [TCP]  [TCP] 165.121.195.x:1896 -> 165.121.194.x:80 aliased to
           [TCP] 165.121.195.x:1896 -> 192.168.0.1:80

But, as I said the connection just hangs. From the client machine
(attempting to access 165.121.194.x:80) the tcpdump is as follows:

[root@dmzsilo ratm]# tcpdump port http
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet
socket
tcpdump: listening on all devices
11:07:24.731111 ppp0 > user-2injgpx.dialup.mindspring.com.1891 >
user-2injgkx.dsl.mindspring.com.http: S 1879014911:1879014911(0) win
5808 <mss 1452,sackOK,timestamp 26006972 0,nop,wscale 0> (DF)
11:07:24.841111 eth0 < user-2injgpx.dialup.mindspring.com.1891 >
192.168.0.1.http: S 1879014911:1879014911(0) win 5808 <mss
1412,sackOK,timestamp 26006972 0,nop,wscale 0> (DF)
11:07:27.731111 ppp0 > user-2injgpx.dialup.mindspring.com.1891 >
user-2injgkx.dsl.mindspring.com.http: S 1879014911:1879014911(0) win
5808 <mss 1452,sackOK,timestamp 26007272 0,nop,wscale 0> (DF)
11:07:27.871111 eth0 < user-2injgpx.dialup.mindspring.com.1891 >
192.168.0.1.http: S 1879014911:1879014911(0) win 5808 <mss
1412,sackOK,timestamp 26007272 0,nop,wscale 0> (DF)

but when I redirect to an external IP address, the tcpdump is:
[root@dmzsilo ratm]# tcpdump port http
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet
socket
tcpdump: listening on all devices
11:12:35.501111 ppp0 > user-2injgpx.dialup.mindspring.com.1895 >
user-2injgkx.dsl.mindspring.com.http: S 2207676803:2207676803(0) win
5808 <mss 1452,sackOK,timestamp 26038049 0,nop,wscale 0> (DF)
11:12:35.801111 ppp0 < user-2injgkx.dsl.mindspring.com.1895 >
user-2injgpx.dialup.mindspring.com.http: S 2207676803:2207676803(0)
win 5808 <mss 1412,sackOK,timestamp 26038049 0,nop,wscale 0> (DF)
11:12:35.801111 ppp0 > user-2injgpx.dialup.mindspring.com.http >
user-2injgkx.dsl.mindspring.com.1895: S 2208516355:2208516355(0) ack
2207676804 win 5760 <mss 1452,sackOK,timestamp 26038079
26038049,nop,wscale 0> (DF)
11:12:36.141111 ppp0 < user-2injgkx.dsl.mindspring.com.http >
user-2injgpx.dialup.mindspring.com.1895: S 2208516355:2208516355(0)
ack 2207676804 win 5760 <mss 1412,sackOK,timestamp 26038079
26038049,nop,wscale 0> (DF)
11:12:36.141111 ppp0 > user-2injgpx.dialup.mindspring.com.1895 >
user-2injgkx.dsl.mindspring.com.http: . 1:1(0) ack 1 win 5808
<nop,nop,timestamp 26038113 26038079> (DF)
11:12:36.411111 ppp0 < user-2injgkx.dsl.mindspring.com.1895 >
user-2injgpx.dialup.mindspring.com.http: . 1:1(0) ack 1 win 5808
<nop,nop,timestamp 26038113 26038079> (DF)


Which does work.

Any idea what my problem is? I've also included my routing table.

su-2.05# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire
default            user-2injgg1.dsl.m UGSc        3      108   tun0
localhost          localhost          UH          0        0    lo0
user-2injgg1.dsl.m user-2injgkq.dsl.m UH          4        0   tun0
192.168.0          link#1             UC          2        0    dc0
192.168.0.1        192.168.0.15       UGHS        1       16    dc0
192.168.0.15       0:60:97:16:2a:ef   UHLW        3    12155    dc0   
938
192.168.0.25       0:20:78:8:15:9c    UHLW        0        2    lo0


Thank you!

-Joe

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020104203714.GA28669>