From owner-freebsd-questions@FreeBSD.ORG Fri Dec 24 01:21:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4764116A4CE for ; Fri, 24 Dec 2004 01:21:33 +0000 (GMT) Received: from mail.pugetsystems.com (ip-66-80-238-236.sea.megapath.net [66.80.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F3F43D53 for ; Fri, 24 Dec 2004 01:21:32 +0000 (GMT) (envelope-from daniel@pugetsystems.com) Received: from parts ([192.168.1.199]) by mail.pugetsystems.com (Merak 7.6.4) with ASMTP id BIA37916 for ; Thu, 23 Dec 2004 15:21:10 -0800 Message-ID: <07d201c4e946$16b4d9b0$7801a8c0@parts> From: "Daniel Brown" To: Date: Thu, 23 Dec 2004 15:21:10 -0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: IPFW/IPNAT Troubles X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2004 01:21:33 -0000 Hi, I am encountering a problem with a machine I just recently set up as a = NAT router. I am running 5.3-REL with ipfw and ipf loaded as modules = (not compiled in). These are the ipnat rules I have set up: (I replaced my external IP with 22.22.22.22). map sis0 192.168.1.0/24 -> 22.22.22.22/32 portmap tcp/udp auto rdr sis0 22.22.22.22/32 port 80 -> 192.168.1.7 port 80 rdr sis0 22.22.22.22/32 port 443 -> 192.168.1.7 port 443 rdr sis0 22.22.22.22/32 port 143 -> 192.168.1.5 port 143 rdr sis0 22.22.22.22/32 port 110 -> 192.168.1.5 port 110 rdr sis0 22.22.22.22/32 port 25 -> 192.168.1.5 port 25 rdr sis0 22.22.22.22/32 port 22 -> 192.168.1.7 port 22 rdr sis0 22.22.22.22/32 port 53 -> 192.168.1.7 port 53 IPFW is set to allow all. This works great for everything except for one small problem. Here is = what I think describes the problem best. I sit down at an internal = workstation (192.168.1.105), and type the things in brackets: [nslookup] [server 22.22.22.22] [www.yahoo.com] This is the response I get Server: 22-22-22-22.example.net Address: 22.22.22.22 *** 22-22-22-22.example.net can't find www.yahoo.com: No response from server Now, if I query the server 192.168.1.7 with nslookup, it works great, = resolves www.yahoo.com for me no problem. So it looks like theres is = some kind of problem with doing NAT translation to put the LAN's packets = on the internet, and then realizing they are for an interface on the = machine doing the NAT translation, then doing a port forward on that = packet back into the LAN. Here is some more information that might help: traffic from the outside, = to 22.22.22.22 port 80, is directed to 192.168.1.7 port 80 just fine. = People are browsing the web site as we speak. Same with the other port = redirects, as far as I can tell. It's just when trying to redirect = traffic that originated inside the LAN when the problem comes up. What = I've done to partially resolve this issue for now is I've set up HOSTS = files on the LAN so that we can access our own web site (so = ourwebsite.com is 192.168.1.7 in our local HOSTS files). Anyone have suggestions? Thanks, Dan