From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 16:55:58 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86EB216A41F for ; Tue, 26 Jul 2005 16:55:58 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) Received: from mail.mba-cpa.com (mail.mba-cpa.com [12.149.90.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0693E43D46 for ; Tue, 26 Jul 2005 16:55:57 +0000 (GMT) (envelope-from dmelameth@mba-cpa.com) X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 26 Jul 2005 12:55:56 -0400 Message-ID: <31BA35C490DBFC40B5C331C7987835AE6122E9@mbafmail.internal.mba-cpa.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pinging same host on the internet from two different LAN stations Thread-Index: AcWR7UhTPeL0IXekRLGxg365sK+OFwABcWYA From: "Melameth, Daniel D." To: "Pejman Moghadam" Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: RE: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 16:55:58 -0000 Daniel Hartmeier wrote: > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT > > with PF.=20 > > The problem is I can't ping the same machine on the internet from > > two or more different machines on my LAN at the same time. only one > > of my LAN clients can ping that target, and pinging that target > > from another station is possible only when i stop pinging from > > first client. =20 > > Is there any way or any tool that ICMP portmapping allows > > simultaneous connections to external targets from multiple machines > > from the LAN?=20 >=20 > I don't believe you have actually tried this. >=20 > From one workstation (10.1.1.20) >=20 > $ ping 199.185.137.3 > 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D235 time=3D218.693 = ms > 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D235 time=3D211.615 = ms > [...] >=20 > At the same time, from another workstation (10.2.2.11) >=20 > $ ping 199.185.137.3 > 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D235 time=3D195.604 = ms > 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D235 time=3D194.387 = ms >=20 > On the gateway which does NAT for both >=20 > # pfctl -ss | grep icmp > kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 > kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> > 199.185.137.3:19057 0:0=20 >=20 > What looks like port numbers in the state is the ICMP ID, a number > chosen randomly for one ping invokation. pf uses this to dispatch > incoming replies from the external host to the appropriate internal > host. FWIW, while I haven't looked into this in detail, it appears Windows clients always use the same ICMP ID--512... >echo %os% Windows_NT >ping 199.185.137.3 Pinging 199.185.137.3 with 32 bytes of data: Reply from 199.185.137.3: bytes=3D32 time=3D117ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 Reply from 199.185.137.3: bytes=3D32 time=3D118ms TTL=3D242 # uname -a OpenBSD openbsdvm.internal.melameth.com 3.7 GENERIC#50 i386 # ping -c 5 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D242 time=3D129.318 ms 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D242 time=3D128.110 ms 64 bytes from 199.185.137.3: icmp_seq=3D2 ttl=3D242 time=3D100.227 ms 64 bytes from 199.185.137.3: icmp_seq=3D3 ttl=3D242 time=3D159.927 ms 64 bytes from 199.185.137.3: icmp_seq=3D4 ttl=3D242 time=3D153.973 ms --- 199.185.137.3 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 100.227/134.311/159.927/21.297 ms # uname -a OpenBSD mel.internal.melameth.com 3.7 GENERIC#50 i386 # ping -c 5 199.185.137.3 PING 199.185.137.3 (199.185.137.3): 56 data bytes 64 bytes from 199.185.137.3: icmp_seq=3D0 ttl=3D242 time=3D117.295 ms 64 bytes from 199.185.137.3: icmp_seq=3D1 ttl=3D242 time=3D124.281 ms 64 bytes from 199.185.137.3: icmp_seq=3D2 ttl=3D242 time=3D115.875 ms 64 bytes from 199.185.137.3: icmp_seq=3D3 ttl=3D242 time=3D119.523 ms 64 bytes from 199.185.137.3: icmp_seq=3D4 ttl=3D242 time=3D123.472 ms --- 199.185.137.3 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 115.875/120.089/124.281/3.320 ms ...and the output from the gateway which reflects the machines above respectively: $ sudo pfctl -ss | grep icmp self icmp 192.168.x.x:512 -> 207.224.x.x:512 -> 199.185.137.3:512 0:0 self icmp 192.168.x.x:51726 -> 207.224.x.x:51726 -> 199.185.137.3:51726 0:0 self icmp 192.168.x.x:5903 -> 207.224.x.x:5903 -> 199.185.137.3:5903 0:0