From owner-freebsd-questions Fri Feb 28 14:59:28 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1676437B401 for ; Fri, 28 Feb 2003 14:59:26 -0800 (PST) Received: from mail.codeangels.com (monkey.codeangels.com [62.2.169.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3359A43FD7 for ; Fri, 28 Feb 2003 14:59:23 -0800 (PST) (envelope-from lists@codeangels.com) Received: (qmail-ldap/ctrl 24724 invoked from network); 28 Feb 2003 22:59:22 -0000 Received: from monkey.codeangels.com (HELO codeangels.com) (qoytdh@[192.168.5.19]) (envelope-sender ) by monkey.codeangels.com (qmail-ldap-1.03) with SMTP for ; 28 Feb 2003 22:59:22 -0000 Received: from 192.168.1.236 (SquirrelMail authenticated user lists@codeangels.com) by www.codeangels.com with HTTP; Fri, 28 Feb 2003 23:59:22 +0100 (CET) Message-ID: <1703.192.168.1.236.1046473162.squirrel@www.codeangels.com> Date: Fri, 28 Feb 2003 23:59:22 +0100 (CET) Subject: FreeBSD 4.6 and funky IPF/IPNat problem. From: "Kirill Ponazdyr" To: "freebsd-questions " X-Priority: 3 Importance: Normal Reply-To: lists@codeangels.com X-Mailer: Codeangels Webmail v1.1 - [Based on SquirrelMail (version 1.2.10)] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, We have a quite wierd problem which I would like to find an answer for, here is a schema of the network: <---- Internet ----> !1 Firewall A !2 <----- Intranet segment 1 -----> | !3 | | | | Host A | Host B | Leased Line/IPSec Tunnel | | | !1 Firewall B !2 <----- Intranet Segment 2 -----> | | Host C Firewalls A/B and Host B are running FreeBSD 4.6 Host C is a dual boot machine with FreeBSD 4.6 and W2K Firewall A performs IPNat for all "inside" packets leaving trough the "outside" !1 interface. The ipnat statement is: map dc0 from 192.168.0.0/16 to any -> 0/32 What works: Host B (Any OS) -> Host A Host C (NT) -> Host A What does not work: Host C (FreeBSD) -> Host A After a period of testing I have found out that by some unknown reason IPNat on Firewall A will flatly refuse to NAT packets which come from IPSec Tunnel and go to Internet and if the communicating host is FreeBSD. Not only that, but IPFilter will will also fail to keep state of those connections which went trough it. This is even more confusing because we use DHCP on Segment 2 and it delivers the same IP to the Host C regardless of its OS, when it is NT, everything works like a charm but when it is FreeBSD connections fail. This is a really funky problem I have no explanation for, did anyone ever seen something like that before ? To add more to confusion: We also have an IRIX host on the Segment 2 and its packets get natted without any problems. Best Regards Kirill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message