Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Aug 2011 11:06:54 +0430
From:      Sara Khanchi <s.khanchi@gmail.com>
To:        olli hauer <ohauer@gmx.de>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: problem with setting nat
Message-ID:  <CAARSjE31vX4NW80nsHgaTBFD84YoOYL=shPY_3oUNkVBCvGxbA@mail.gmail.com>
In-Reply-To: <4E533FB4.5050403@gmx.de>
References:  <CAARSjE09vm3yvevBhhdK_6XrRpnKD5cwgnZJPVjVTsH=03JCsg@mail.gmail.com> <4E510AF8.9090009@gmx.de> <CAARSjE2uxqzqr97Y1w%2B0tf5B0ZaMFHTRXRMMCoWwjvfVz67_%2Bg@mail.gmail.com> <4E533FB4.5050403@gmx.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 23, 2011 at 10:20 AM, olli hauer <ohauer@gmx.de> wrote:

> On 2011-08-23 07:10, Sara Khanchi wrote:
> > On Sun, Aug 21, 2011 at 6:11 PM, olli hauer <ohauer@gmx.de> wrote:
> >
> >> On 2011-08-21 09:48, h bagade wrote:
> >>> Hi all,
> >>>
> >>> I am trying to use pf nat rules with pool support on FreeBsd 8.0,
> working
> >>> together with ipfw as the main firewall. According to the natting
> >> concepts i
> >>> faced in manuals and docs, nat concept is to map the source address to
> >> the
> >>> natted address when sending the packets from that source and then map
> the
> >>> destination address of the related reply packets.
> >>>
> >>> but when I define pf nat rules with a pool of IP addresses not
> available
> >> on
> >>> the outside interface ip addresses, the outgoing traffic is natted to
> one
> >> of
> >>> the pool addresses but the response is not received via that interface
> so
> >>> the pf can map the destination address to the real one. here is one of
> my
> >>> configs i used during my tests:
> >>>
> >>> *configurations:*
> >>> *pf.conf:*
> >>> nat on eth1 from { 11.11.11.0/24} to any ->
> >>> {172.16.10.1,172.16.10.2,172.
> >>>
> >>
> 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}
> >>>
> >>> main system configurations:
> >>> eth0: 11.11.11.1
> >>> eth1: 172.16.10.64
> >>>
> >>> system A: directly connected to eth0- 11.11.11.11
> >>> system B: directly connected to eth1- 172.16.10.65
> >>>
> >>> in this configs the dafult route of system A and system B are the
> middle
> >>> systems connected ip address.
> >>>
> >>> as mentioned, when systemA pings systemB, the ping requests are natted
> to
> >>> 172.16.10.1 and received at systemB but systemB doesn't send icmp
> replies
> >>> because it doesn't know to whom it should send the replies (no answer
> to
> >>> system B 's ARP requests about who has the natted IP).
> >>>
> >>> now my question is, isn't it the pf nat responsibilty to manage this
> >>> condition and send the ARP replies to SystemB?
> >>> or, are my configs wrong?
> >>> or i misunderstood the nat concepts?
> >>>
> >>> any ideas or helps are really appreciated as i have to set this nat on
> my
> >>> main system, asap.
> >>> Thanks in advance.
> >>
> >>
> >> Nothing magic,
> >>
> >> Professional Firefall products do offer mostly to create an automatic
> >> proxy arp or do this without your notice.
> >>
> >> The better way is to create a route on the upstream router, this way
> >> you get all the traffic without silly arp broadcasts.
> >>
> >> The following route on the peer should solve your problem
> >>  route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192
> >>
> >>
> >>
> > Defining route is not a proper way to handle this situation. I want to
> setup
> > a nat router which every one works with it without need to adjust
> additional
> > configurations on their system and works as the way cisco does.
> > what should be done exactly to simulate cisco? Is there any way to proxy
> > arp? Does ipfw support proxy arp?
>
>
> Hi Sara,
>
> ipfw even does not do proxy arp.
>
> If I read your top right it looks like this
>
> lan(11.11.11.0/24) --|switch|-- |(.??) gw (.65)| --|switch|--
> upstream(172.16.10.x/xx)
>
> Even with cisco as gw or router I place a static route to the upstream or
> if can not control the upstream device to the switch between gw and
> upstream.
> I think last time I used proxy arp is now 10 years ago, reason I'm not
> target for arp spoofing on this site of my equipment.
> Think about the case where you route some public class C networks then arp
> is really unproductive.
>
> --
> olli
>

The topology is like this:

lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|--
upstream(172.16.10.x/16)
nat pool address: 172.16.10.1-172.16.10.63
nat pool address is on the same network of upstream device.

May be I don't understand you well. in your first post you've mentioned that
I should define an static route on upstream device so it would send packets
destined for natted address to the gw. In this post you've talked about
defining static route on gw to the upstream? could you explain me more about
your suggestion of using static routes instead of proxy-arp solution?

however, in the above topology, there is no need to define a static route on
upstream device (they are on the same network) in normal condition so it
should be applicable when nat is used on gw, right? what's the solution
then?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAARSjE31vX4NW80nsHgaTBFD84YoOYL=shPY_3oUNkVBCvGxbA>