Date: Tue, 13 May 1997 13:04:14 -0700 From: "Jordan K. Hubbard" <jkh@time.cdrom.com> To: jkh@time.cdrom.com Subject: Proxy arp with NAT and ip-filter Message-ID: <199705132004.NAA20152@titon.bloom-county> Resent-Message-ID: <10248.863557405@time.cdrom.com>
next in thread | raw e-mail | index | archive | help
I have a strange setup (maybe not)... I have three high speed interfaces
on an Sparc Enterprise 6000 (hme0,1,2)... Hme0&1 are hooked to a PRIVATE
subnet:
hme0 - 192.168.10.0 - 255.255.255.0 (PRIVATE)
hme1 - 192.168.20.0 - 255.255.255.0 (PRIVATE)
hme2 - 134.52.23.0 - 255.255.255.0 (PUBLIC)
The PUBLIC interface is NOT the internet, its boeing internal INTRAnet... I
set up NAT so that a node under hme0, say 192.168.10.104 ALSO has a public
address like 134.52.23.129... SO, in ipnat.conf I have:
ipnat.conf:
----------
map hme2 192.168.10.103/32 -> 134.52.23.129/32
ipf.conf:
---------
pass in proto ip all
pass in proto icmp all
pass in proto ggp all
pass in proto tcp all
pass in proto egp all
pass in proto pup all
pass in proto udp all
pass in proto hmp all
pass in proto xns-idp all
pass in proto rdp all
In other words... Let EVERYTHING in!
I'm also doing a proxy arp (in.arpd is running) using:
arp -s 134.52.23.129 8:0:20:80:3c:36 pub
The ether address is that of the Enterprise. The public ip of the Enterprise
is 134.52.23.137... Here is my ifconfig -a:
enterprise{root}(/etc/opt/CYBSipf) 59: ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.1 netmask ffffff00 broadcast 192.168.10.255
ether 8:0:20:80:3c:36
hme1: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 192.168.20.1 netmask ffffff00 broadcast 192.168.20.255
ether 8:0:20:80:3c:36
hme2: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 134.52.23.137 netmask ffffff00 broadcast 134.52.23.255
ether 8:0:20:80:3c:36
enterprise{root}(/etc/opt/CYBSipf)
With the above, EVERYTHING works perfect (almost)...
I can ping, telnet, from the 192.168.10.103 node and all ip traffic coming
out of the enterprises hme2 interface is mapped correctly. As long as a
the 192.168.10.103 INITIATES traffic, other PUBLIC nodes can respond directly
to the 192.168.10.103 using its public 134.52.23.129 address...
However, if a PUBLIC node INITIATES traffic to the private node using its
public address (134.52.23.129), nothing works. Seems like whenever the active
socket is closed (i.e. npnat -l) it won't work.
I KNOW that the proxy arp is working, because if I'm on a public node (on the
134.52.23) subnet, and do:
traceroute 134.52.23.129
The enterprise is answering and trying to service forward the connection. I
have in.routed -s running on the enterprise (even tried to turn it off) and
I have ip_forwarding turned on. I even opened up the ipf.conf file to every
thing (as shown above)...
I'm not part of this list (yet), although I thought I submitted it a long time
ago... Please respond directly.
Any suggestions would be welcome!!!
Thanks in advance.
Mike Zakharoff
Boeing Defense & Space Group
zak@cutter.ds.boeing.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705132004.NAA20152>