From owner-freebsd-questions Fri Jan 4 12:33:51 2002 Delivered-To: freebsd-questions@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 5558A37B405 for ; Fri, 4 Jan 2002 12:33:44 -0800 (PST) Received: from user-2injgp0.dialup.mindspring.com ([165.121.195.32] helo=csilo.ath.cx) by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16Mb26-0000Ed-00 for freebsd-questions@freebsd.org; Fri, 04 Jan 2002 12:33:43 -0800 Received: (from ratm@localhost) by csilo.ath.cx (8.11.2/8.11.2) id g04KbE828678 for freebsd-questions@freebsd.org; Fri, 4 Jan 2002 15:37:14 -0500 Date: Fri, 4 Jan 2002 15:37:14 -0500 From: Joseph Bogner To: freebsd-questions@freebsd.org Subject: IPFW/NATD redirect_port problem Message-ID: <20020104203714.GA28669@mindspring.com> Reply-To: Joseph Bogner Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.25i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have a problem with natd and ipfw. I am trying to redirect traffic from my freebsd gateway, 192.168.0.25 to my internal web server, 192.168.0.1. The freebsd gateway is connected through pppoe to earthlink on /dev/tun0. Everything appears to be configured properly, because I can redirect traffic to external ip's using natd through the following command: natd -dynamic -redirect_port tcp 165.121.195.x:http http -interface tun0 -l But when I attempt to redirect traffic to an internal ip, the connect just hangs. natd -dynamic -redirect_port tcp 192.168.0.1:http http -interface tun0 -l My ipfw configuration is set up properly (as far as I can tell) because the first natd command works flawlessly. su-2.05# ipfw list 00100 divert 8668 ip from any to any via tun0 65535 allow ip from any to any natd also appears to be aliasing the addresses correctly, because when I run it in verbose mode, I get: su-2.05# natd -dynamic -redirect_port tcp 192.168.0.1:http http -interface tun0 -l -v natd[576]: Aliasing to 165.121.194.x, mtu 1492 bytes In [TCP] [TCP] 165.121.195.x:1896 -> 165.121.194.x:80 aliased to [TCP] 165.121.195.x:1896 -> 192.168.0.1:80 In [TCP] [TCP] 165.121.195.x:1896 -> 165.121.194.x:80 aliased to [TCP] 165.121.195.x:1896 -> 192.168.0.1:80 But, as I said the connection just hangs. From the client machine (attempting to access 165.121.194.x:80) the tcpdump is as follows: [root@dmzsilo ratm]# tcpdump port http Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on all devices 11:07:24.731111 ppp0 > user-2injgpx.dialup.mindspring.com.1891 > user-2injgkx.dsl.mindspring.com.http: S 1879014911:1879014911(0) win 5808 (DF) 11:07:24.841111 eth0 < user-2injgpx.dialup.mindspring.com.1891 > 192.168.0.1.http: S 1879014911:1879014911(0) win 5808 (DF) 11:07:27.731111 ppp0 > user-2injgpx.dialup.mindspring.com.1891 > user-2injgkx.dsl.mindspring.com.http: S 1879014911:1879014911(0) win 5808 (DF) 11:07:27.871111 eth0 < user-2injgpx.dialup.mindspring.com.1891 > 192.168.0.1.http: S 1879014911:1879014911(0) win 5808 (DF) but when I redirect to an external IP address, the tcpdump is: [root@dmzsilo ratm]# tcpdump port http Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on all devices 11:12:35.501111 ppp0 > user-2injgpx.dialup.mindspring.com.1895 > user-2injgkx.dsl.mindspring.com.http: S 2207676803:2207676803(0) win 5808 (DF) 11:12:35.801111 ppp0 < user-2injgkx.dsl.mindspring.com.1895 > user-2injgpx.dialup.mindspring.com.http: S 2207676803:2207676803(0) win 5808 (DF) 11:12:35.801111 ppp0 > user-2injgpx.dialup.mindspring.com.http > user-2injgkx.dsl.mindspring.com.1895: S 2208516355:2208516355(0) ack 2207676804 win 5760 (DF) 11:12:36.141111 ppp0 < user-2injgkx.dsl.mindspring.com.http > user-2injgpx.dialup.mindspring.com.1895: S 2208516355:2208516355(0) ack 2207676804 win 5760 (DF) 11:12:36.141111 ppp0 > user-2injgpx.dialup.mindspring.com.1895 > user-2injgkx.dsl.mindspring.com.http: . 1:1(0) ack 1 win 5808 (DF) 11:12:36.411111 ppp0 < user-2injgkx.dsl.mindspring.com.1895 > user-2injgpx.dialup.mindspring.com.http: . 1:1(0) ack 1 win 5808 (DF) Which does work. Any idea what my problem is? I've also included my routing table. su-2.05# netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default user-2injgg1.dsl.m UGSc 3 108 tun0 localhost localhost UH 0 0 lo0 user-2injgg1.dsl.m user-2injgkq.dsl.m UH 4 0 tun0 192.168.0 link#1 UC 2 0 dc0 192.168.0.1 192.168.0.15 UGHS 1 16 dc0 192.168.0.15 0:60:97:16:2a:ef UHLW 3 12155 dc0 938 192.168.0.25 0:20:78:8:15:9c UHLW 0 2 lo0 Thank you! -Joe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message