From owner-freebsd-questions Tue Aug 28 22:47:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209]) by hub.freebsd.org (Postfix) with ESMTP id 4DFA037B40C for ; Tue, 28 Aug 2001 22:47:21 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.3/8.11.4) with ESMTP id f7T5l9w74186; Wed, 29 Aug 2001 00:47:10 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200108290547.f7T5l9w74186@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Nick Rogness Cc: Joel Rosenberg , freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: Forwarding packets from the internal network In-reply-to: Message from Nick Rogness of "Tue, 28 Aug 2001 23:11:33 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 29 Aug 2001 00:47:09 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nick Rogness writes: > On Tue, 28 Aug 2001, David Kelly wrote: > > > I'm confused by the description above as to whether or not > > 192.168.1.21 is trying to connect outside on port 80 and that one > > replies back to 80 or what? > > I believe what he is saying is that 192.168.1.21 is responding to > port 80 requests with a src_port of 80 and not 81 which would not > work. So if I understand correctly: > > 1) natd gets packet from outside world: > > SOURCE DESTINATION > remote_IP:16675 --> your_nat_outside_IP:81 > > 2) natd changes packet to: > > SOURCE DESTINATION > remote_IP:16675 --> 192.168.1.21:80 > > 3) Packet gets sent to 192.168.1.21 port 80 > > 4) 192.168.1.21 responds sending packet back to natd > machine. > > 5) natd changes packet to: > > SOURCE DESTINATION > your_nat_outside_IP:80 --> remote_IP:16675 > > 6) packet gets sent out into the world. > > > Step #5 you want it to be: > > your_nat_outside_IP:81 --> remote_IP:16675 > > Is this the problem you were describing? Excellent description. But your #5 above should be taken care of by the port redirection in natd as the remote site sees the connection as between remote_IP:16675 and your_nat_outside_IP:81, a return packet from port your_nat_outside_IP:80 to remote_IP:16675 would be discarded as there isn't a matching connection. As I understand natd, it has to track these connections so the redirect's replies will work. It can't figure it out on each and every packet. As I understand the same-port option, natd will _try_ to use private_inside:16675 in its connection to 192.168.1.21:81 but there is no guarantee this port (16675) is available. As for the incoming port 80 and 81, those port numbers are already decided by the remote client before natd has a shot at them. Externally natd has to respond from the port the incoming connection arrived at. Without enough information I'm guessing the port 80 and 81 stuff are web servers. And similar to ftp, http is exchanging port numbers in the data portion of the connection causing the client to try port 80 on the external address because the port 81 web server thinks its on port 80. An internal webserver behind NAT also has to be careful not to rewrite URL's with its internal IP address. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message