From owner-freebsd-net@FreeBSD.ORG Wed Dec 15 18:11:01 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 898DC16A4CE for ; Wed, 15 Dec 2004 18:11:01 +0000 (GMT) Received: from hotmail.com (bay103-dav9.bay103.hotmail.com [65.54.174.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D67F43D5A for ; Wed, 15 Dec 2004 18:11:01 +0000 (GMT) (envelope-from zeno_lee@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 15 Dec 2004 10:11:00 -0800 Message-ID: Received: from 68.236.191.168 by BAY103-DAV9.phx.gbl with DAV; Wed, 15 Dec 2004 18:10:22 +0000 X-Originating-IP: [68.236.191.168] X-Originating-Email: [zeno_lee@hotmail.com] X-Sender: zeno_lee@hotmail.com From: "Zeno Lee" To: Date: Wed, 15 Dec 2004 13:10:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-OriginalArrivalTime: 15 Dec 2004 18:11:00.0563 (UTC) FILETIME=[6EA5FA30:01C4E2D1] Subject: NAT works but port redirection does not work on IPNAT and PF X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 18:11:01 -0000 It seems I've somehow didn't set up my freebsd gateway properly. I am trying to use my FreeBSD server as a NAT with port redirection. NAT works fine, but when I use port redirection to redirect requests from my external interface em0 160.79.174.98:80 the request makes it to my internal web server 192.168.1.54 but the response is not being returned back out to the requester. I've tried both PF and IPFILTER and they both have the same issue. Here is my setup: Internet ----- 24.215.185.142 (External web requester) | | em0 (160.79.174.98/29) FreeBSD 5.3 STABLE (PF, ALTQ compiled, gateway_enabled) em1 (192.168.1.55/24) | | LAN -- Web Server (192.168.1.54) | |---- NAT client (192.168.1.100) access internet fine I've done the dumps and # tcpdump -n -i em0 dst host 160.79.174.98 and tcp dst port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 12:51:57.118746 IP 24.215.185.142.1343 > 160.79.174.98.80: S 2887552006:2887552006(0) win 65535 12:52:00.153017 IP 24.215.185.142.1343 > 160.79.174.98.80: S 2887552006:2887552006(0) win 65535 12:52:06.167832 IP 24.215.185.142.1343 > 160.79.174.98.80: S 2887552006:2887552006(0) win 65535 # tcpdump -n -i em1 host 192.168.1.54 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes 12:51:57.118772 IP 24.215.185.142.1343 > 192.168.1.54.80: S 2887552006:2887552006(0) win 65535 12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54 12:52:00.153045 IP 24.215.185.142.1343 > 192.168.1.54.80: S 2887552006:2887552006(0) win 65535 12:52:06.167855 IP 24.215.185.142.1343 > 192.168.1.54.80: S 2887552006:2887552006(0) win 65535 I don't think my port forwarding setup in IPFILTER nor PF are the cause but I've listed it just in case /etc/pf.conf nat on em0 from em1:network to any -> (em0) rdr on em0 proto tcp from any to em0 port 80 -> 192.168.1.54 port 80 My IPFILTER rule is just as simple /etc/ipnat.conf map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 # ipnat -l List of active MAP/Redirect filters: rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 tcp map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto List of active sessions: RDR 192.168.1.54 80 <- -> 160.79.174.98 80 [24.215.185.142 1332]