From owner-freebsd-pf@FreeBSD.ORG Wed Jul 27 04:59:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C81816A42A for ; Wed, 27 Jul 2005 04:59:11 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32406.mail.mud.yahoo.com (web32406.mail.mud.yahoo.com [68.142.207.199]) by mx1.FreeBSD.org (Postfix) with SMTP id CD40343D46 for ; Wed, 27 Jul 2005 04:59:10 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 94494 invoked by uid 60001); 27 Jul 2005 04:59:10 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=XEfXQ0PZR5a2wcZ55r3iljyotcvm/SyjngPyg314zHDRypZGkji4OIov+HhBfwPp8J6ct5PLyBfB7VOzosD1m+HBqkMXN7cR85WZfq8a8ks2fB1d4FGcAOL/vew3TBx82TrNMVYaoJ11Vj8SafiZB1xG+2a9FYJFM5JOJcSbmJo= ; Message-ID: <20050727045910.94492.qmail@web32406.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32406.mail.mud.yahoo.com via HTTP; Tue, 26 Jul 2005 21:59:10 PDT Date: Tue, 26 Jul 2005 21:59:10 -0700 (PDT) From: Pejman Moghadam To: "Melameth, Daniel D." In-Reply-To: <31BA35C490DBFC40B5C331C7987835AE6122E9@mbafmail.internal.mba-cpa.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: RE: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 04:59:11 -0000 Melameth, Daniel D. wrote : > FWIW, while I haven't looked into this in detail, it appears Windows > clients always use the same ICMP ID--512... I think this is right, beacuse of this state entry : self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 but i have not any problem with windows clients when i use ipfw in freebsd or even iptables in linux. why same ICMP ID(512) is so important for PF? how can i deal with that ? --- "Melameth, Daniel D." wrote: > Daniel Hartmeier wrote: > > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT > > > with PF. > > > The problem is I can't ping the same machine on the internet from > > > two or more different machines on my LAN at the same time. only one > > > of my LAN clients can ping that target, and pinging that target > > > from another station is possible only when i stop pinging from > > > first client. > > > Is there any way or any tool that ICMP portmapping allows > > > simultaneous connections to external targets from multiple machines > > > from the LAN? > > > > I don't believe you have actually tried this. > > > > From one workstation (10.1.1.20) > > > > $ ping 199.185.137.3 > > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=218.693 ms > > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=211.615 ms > > [...] > > > > At the same time, from another workstation (10.2.2.11) > > > > $ ping 199.185.137.3 > > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=195.604 ms > > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=194.387 ms > > > > On the gateway which does NAT for both > > > > # pfctl -ss | grep icmp > > kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 > > kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> > > 199.185.137.3:19057 0:0 > > > > What looks like port numbers in the state is the ICMP ID, a number > > chosen randomly for one ping invokation. pf uses this to dispatch > > incoming replies from the external host to the appropriate internal > > host. > > FWIW, while I haven't looked into this in detail, it appears Windows > clients always use the same ICMP ID--512... > > > >echo %os% > Windows_NT > > >ping 199.185.137.3 > > Pinging 199.185.137.3 with 32 bytes of data: > > Reply from 199.185.137.3: bytes=32 time=117ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > Reply from 199.185.137.3: bytes=32 time=118ms TTL=242 > > > # uname -a > OpenBSD openbsdvm.internal.melameth.com 3.7 GENERIC#50 i386 > > # ping -c 5 199.185.137.3 > PING 199.185.137.3 (199.185.137.3): 56 data bytes > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=129.318 ms > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=128.110 ms > 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=100.227 ms > 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=159.927 ms > 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=153.973 ms > --- 199.185.137.3 ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 100.227/134.311/159.927/21.297 ms > > > # uname -a > OpenBSD mel.internal.melameth.com 3.7 GENERIC#50 i386 > > # ping -c 5 199.185.137.3 > PING 199.185.137.3 (199.185.137.3): 56 data bytes > 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=117.295 ms > 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=124.281 ms > 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=115.875 ms > 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=119.523 ms > 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=123.472 ms > --- 199.185.137.3 ping statistics --- > 5 packets transmitted, 5 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 115.875/120.089/124.281/3.320 ms > > > ...and the output from the gateway which reflects the machines above > respectively: > > $ sudo pfctl -ss | grep icmp > self icmp 192.168.x.x:512 -> 207.224.x.x:512 -> 199.185.137.3:512 > 0:0 > self icmp 192.168.x.x:51726 -> 207.224.x.x:51726 -> 199.185.137.3:51726 > 0:0 > self icmp 192.168.x.x:5903 -> 207.224.x.x:5903 -> 199.185.137.3:5903 > 0:0 > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs