Date: Thu, 23 Dec 2004 15:21:10 -0800 From: "Daniel Brown" <daniel@pugetsystems.com> To: <freebsd-questions@freebsd.org> Subject: IPFW/IPNAT Troubles Message-ID: <07d201c4e946$16b4d9b0$7801a8c0@parts>
next in thread | raw e-mail | index | archive | help
Hi, I am encountering a problem with a machine I just recently set up as a = NAT router. I am running 5.3-REL with ipfw and ipf loaded as modules = (not compiled in). These are the ipnat rules I have set up: (I replaced my external IP with 22.22.22.22). map sis0 192.168.1.0/24 -> 22.22.22.22/32 portmap tcp/udp auto rdr sis0 22.22.22.22/32 port 80 -> 192.168.1.7 port 80 rdr sis0 22.22.22.22/32 port 443 -> 192.168.1.7 port 443 rdr sis0 22.22.22.22/32 port 143 -> 192.168.1.5 port 143 rdr sis0 22.22.22.22/32 port 110 -> 192.168.1.5 port 110 rdr sis0 22.22.22.22/32 port 25 -> 192.168.1.5 port 25 rdr sis0 22.22.22.22/32 port 22 -> 192.168.1.7 port 22 rdr sis0 22.22.22.22/32 port 53 -> 192.168.1.7 port 53 IPFW is set to allow all. This works great for everything except for one small problem. Here is = what I think describes the problem best. I sit down at an internal = workstation (192.168.1.105), and type the things in brackets: [nslookup] [server 22.22.22.22] [www.yahoo.com] This is the response I get Server: 22-22-22-22.example.net Address: 22.22.22.22 *** 22-22-22-22.example.net can't find www.yahoo.com: No response from server Now, if I query the server 192.168.1.7 with nslookup, it works great, = resolves www.yahoo.com for me no problem. So it looks like theres is = some kind of problem with doing NAT translation to put the LAN's packets = on the internet, and then realizing they are for an interface on the = machine doing the NAT translation, then doing a port forward on that = packet back into the LAN. Here is some more information that might help: traffic from the outside, = to 22.22.22.22 port 80, is directed to 192.168.1.7 port 80 just fine. = People are browsing the web site as we speak. Same with the other port = redirects, as far as I can tell. It's just when trying to redirect = traffic that originated inside the LAN when the problem comes up. What = I've done to partially resolve this issue for now is I've set up HOSTS = files on the LAN so that we can access our own web site (so = ourwebsite.com is 192.168.1.7 in our local HOSTS files). Anyone have suggestions? Thanks, Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?07d201c4e946$16b4d9b0$7801a8c0>