From owner-freebsd-questions Tue Aug 28 21:11:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 33AC037B406 for ; Tue, 28 Aug 2001 21:11:37 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f7T4BXr69156; Tue, 28 Aug 2001 23:11:33 -0500 (CDT) (envelope-from nick@rogness.net) Date: Tue, 28 Aug 2001 23:11:33 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: David Kelly Cc: Joel Rosenberg , freebsd-questions@FreeBSD.ORG Subject: Re: Forwarding packets from the internal network In-Reply-To: <200108290318.f7T3IVw72618@grumpy.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 28 Aug 2001, David Kelly wrote: > Nick Rogness writes: > On Tue, 28 Aug 2001, Joel Rosenberg wrote: > > > I'm in the process of setting up a network and have run into some > problems. I have two devices on my network (IP's 192.168.1.20 and > 192.168.1.21) that are accessed via port 80 (non changeable). Right > now, I have all traffic sent to my firewall (I only have one real > IP) on port 80 forwarded to 192.168.1.20:80 and all the traffic to > 81 sent to 192.168.1.21:80 via natd. The problem is, when a > connection from the outside is made to 192.168.1.21, it responds > by trying to open a new connection on port 80. When the outside > computer connects, the firewall forwards the now-port-80 > connection to 192.168.1.20, leaving no way of reaching > 192.168.1.21. I've tried forwarding traffic from higher ports to > internal machines (ie ssh) with success, so I can only assume that > when 192.168.1.21 gets a request, in opens up a new connection, > thereby losing the original :81->192.168.1.21:80 forwarding. > Is there any way I can set up the firewall so that all outgoing > traffic from 192.168.1.21:80 leaves the firewall on port 81? > > You can try the -same_ports option to natd. > > I'm confused by the description above as to whether or not > 192.168.1.21 is trying to connect outside on port 80 and that one > replies back to 80 or what? I believe what he is saying is that 192.168.1.21 is responding to port 80 requests with a src_port of 80 and not 81 which would not work. So if I understand correctly: 1) natd gets packet from outside world: SOURCE DESTINATION remote_IP:16675 --> your_nat_outside_IP:81 2) natd changes packet to: SOURCE DESTINATION remote_IP:16675 --> 192.168.1.21:80 3) Packet gets sent to 192.168.1.21 port 80 4) 192.168.1.21 responds sending packet back to natd machine. 5) natd changes packet to: SOURCE DESTINATION your_nat_outside_IP:80 --> remote_IP:16675 6) packet gets sent out into the world. Step #5 you want it to be: your_nat_outside_IP:81 --> remote_IP:16675 Is this the problem you were describing? Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message