From owner-freebsd-pf@FreeBSD.ORG Wed Oct 18 09:49:10 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDBDA16A40F for ; Wed, 18 Oct 2006 09:49:10 +0000 (UTC) (envelope-from tzhuan@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29D4843D5D for ; Wed, 18 Oct 2006 09:49:09 +0000 (GMT) (envelope-from tzhuan@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so616400nfc for ; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=UXz3jwcLiKZbmVwV2Dg+1xMiv1Qb0Apg+BDsLswzikYTDrGqT+FUtujgFQI5bPU/hQOVReNlnOiB6nfhqr79tAWHFojGFoXFIOV0LJ9zyUWMI+lkg2wbXvp5Cb+RnTOzLb+xU0CZHjvzhmxDX+5Ia3bGoBpQm8nn5brXaMdoTF8= Received: by 10.82.124.10 with SMTP id w10mr1839516buc; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) Received: by 10.82.180.7 with HTTP; Wed, 18 Oct 2006 02:49:08 -0700 (PDT) Message-ID: <6a7033710610180249se539921m3a753b46a90fb962@mail.gmail.com> Date: Wed, 18 Oct 2006 17:49:08 +0800 From: "Tz-Huan Huang" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Question about binat and nat in the same domain X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: tzhuan@csie.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 09:49:10 -0000 Hi, There is a FreeBSD box running pf as a firewall. There are two type of internal computers, one type is for servers -- thay are set to fixed ips (int_server_ipN) and map to external ips (ext_server_ipN) using binat. Another type is for clients -- thay get ip from dhcp server dynamically. The ips of servers and clients are in the same domain. Following is the pf.conf: binat on $ext_if from $int_server_ip1 to any -> $ext_server_ip1 binat on $ext_if from $int_server_ip2 to any -> $ext_server_ip2 binat on $ext_if from $int_server_ip3 to any -> $ext_server_ip3 ... nat on $ext_if from $int_if:network to any -> $ext_ip pass quick all keep state and I use ``arp -s [ext ip] [mac] pub'' to bind $ext_server_ips on $ext_if. Basically all thing is right, the internal server serves as it is external, and all clients can go to internet well. The problem is: clients cannot connect to servers via external ips. For example, "ping $ext_server_ip1" in one client will get no response. tcpdump get the following log: 17:16:43.005360 IP $client_ip > $ext_server_ip1: ICMP echo request, id 768, seq 61440, length 40 17:16:43.005430 IP $ext_ip > $int_server_ip1: ICMP echo request, id 59065, seq 61440, length 40 17:16:43.005732 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id 59065, seq 61440, length 40 17:16:48.506471 IP $client_ip > $ext_server_ip1: ICMP echo request, id 768, seq 61696, length 40 17:16:48.506531 IP $ext_ip > $int_server_ip1: ICMP echo request, id 59065, seq 61696, length 40 17:16:48.506719 IP $int_server_ip1 > $ext_ip: ICMP echo reply, id 59065, seq 61696, length 40 ... The strange thing is that firewall dons't translate the echo reply to $client_ip. What's the problem? Is any wrong in my configuration? Thanks very much for you help. tzhuan