From owner-freebsd-net@FreeBSD.ORG  Wed Dec 15 18:18:06 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EB7D616A4CF
	for <freebsd-net@freebsd.org>; Wed, 15 Dec 2004 18:18:05 +0000 (GMT)
Received: from mail.star-sw.com (mail.star-sw.com [217.195.82.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9869C43D62
	for <freebsd-net@freebsd.org>; Wed, 15 Dec 2004 18:18:04 +0000 (GMT)
	(envelope-from nkritsky@star-sw.com)
Received: from ARGON.star-sw.com (argon.star-sw.com [217.195.82.10])
	by mail.star-sw.com (8.12.11/8.12.11) with ESMTP id iBFII3oA074434;
	Wed, 15 Dec 2004 21:18:03 +0300 (MSK)
Received: from ibmka.star-sw.com ([192.168.32.230]) by ARGON.star-sw.com with
	Microsoft SMTPSVC(5.0.2195.5329);	 Wed, 15 Dec 2004 21:18:03 +0300
Date: Wed, 15 Dec 2004 21:18:07 +0300
From: "Nickolay A. Kritsky" <nkritsky@star-sw.com>
X-Mailer: The Bat! (v1.49) Personal
X-Priority: 3 (Normal)
Message-ID: <881219348812.20041215211807@star-sw.com>
To: "Zeno Lee" <zeno_lee@hotmail.com>
In-reply-To: <BAY103-DAV984DB892C7096B96FC1E5E2AD0@phx.gbl>
References: <BAY103-DAV984DB892C7096B96FC1E5E2AD0@phx.gbl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 15 Dec 2004 18:18:03.0879 (UTC)
	FILETIME=[6AF6DF70:01C4E2D2]
cc: freebsd-net@freebsd.org
Subject: Re: NAT works but port redirection does not work on IPNAT and PF
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Nickolay A. Kritsky" <nkritsky@star-sw.com>
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2004 18:18:06 -0000

Hello Zeno,

Check your default gateway on 192.168.1.54.

It seems to be 192.168.1.1 instead of 192.168.168.55:
12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54


Wednesday, December 15, 2004, 9:10:21 PM, Zeno Lee wrote:

ZL> It seems I've somehow didn't set up my freebsd gateway properly.  I am 
ZL> trying to use my FreeBSD server as a NAT with port redirection.  NAT works 
ZL> fine, but when I use port redirection to redirect requests from my external 
ZL> interface em0 160.79.174.98:80 the request makes it to my internal web 
ZL> server 192.168.1.54 but the response is not being returned back out to the 
ZL> requester.  I've tried both PF and IPFILTER and they both have the same 
ZL> issue.

ZL> Here is my setup:

ZL>                      Internet ----- 24.215.185.142 (External web requester)
ZL>                         |
ZL>                         |
ZL>                        em0 (160.79.174.98/29)
ZL>                 FreeBSD 5.3 STABLE (PF, ALTQ compiled, gateway_enabled)
ZL>                        em1 (192.168.1.55/24)
ZL>                         |
ZL>                         |
ZL>                        LAN -- Web Server (192.168.1.54)
ZL>                         |
ZL>                         |---- NAT client (192.168.1.100) access internet 
ZL> fine

ZL> I've done the dumps and

ZL> # tcpdump -n -i em0 dst host 160.79.174.98 and tcp dst port 80
ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
ZL> listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
ZL> 12:51:57.118746 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:00.153017 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:06.167832 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>

ZL> #  tcpdump -n -i em1 host 192.168.1.54
ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
ZL> listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
ZL> 12:51:57.118772 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54
ZL> 12:52:00.153045 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
ZL> 12:52:06.167855 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>



ZL> I don't think my port forwarding setup in IPFILTER nor PF are the cause but 
ZL> I've listed it just in case

ZL> /etc/pf.conf
ZL> nat on em0 from em1:network to any -> (em0)
ZL> rdr on em0 proto tcp from any to em0 port 80 -> 192.168.1.54 port 80


ZL> My IPFILTER rule is just as simple
ZL> /etc/ipnat.conf
ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80

ZL> # ipnat -l
ZL> List of active MAP/Redirect filters:
ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 tcp
ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto

ZL> List of active sessions:
ZL> RDR 192.168.1.54    80    <- -> 160.79.174.98   80    [24.215.185.142 1332] 
ZL> _______________________________________________
ZL> freebsd-net@freebsd.org mailing list
ZL> http://lists.freebsd.org/mailman/listinfo/freebsd-net
ZL> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"



-- 
Best regards,
;  Nickolay A. Kritsky
; SysAdmin STAR Software LLC
; mailto:nkritsky@star-sw.com