Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Jan 2012 15:40:11 +0900
From:      Randy Bush <randy@psg.com>
To:        freebsd-net <freebsd-net@FreeBSD.org>
Subject:   how to debug non-working hole in nat
Message-ID:  <m239bx47ck.wl%randy@psg.com>
next in thread | raw e-mail | index | archive | help 
FreeBSD gate0.psg.com 8.2-STABLE FreeBSD 8.2-STABLE #8: Sat Dec 24 13:39:45 GMT 2011     root@gate0.psg.com:/usr/obj/usr/src/sys/GATE0  i386

i have a working natd setup and am trying to punch a hole in it for ssh
to an internal host.
		   .------------------------------.
		   |                              |
		   |                     b --wlan0|
		   |                     r        | 192.168.0.0/24
	WAN IIJ    |                     i --- vr1| LAN hosts,
	PPP/NAT ---|vr0[PPPoE][ppp]tun0--d        | DHCP Clients
                   |                     g --- vr2| ...
		   |                     e        |
		   |                     0 --- vr3|
		   |                              |
		   `------------------------------'

i am trying to do it all in /etc/rc.conf, though i am not wedded to
doing so.  i will append the tasty bits.

when tring to ssh in from outside, i get

   % ssh -p 60022 gate0
   < long pause >
   ssh: connect to host gate0.psg.com port 60022: No route to host

i have no problem sshing to the target host from within the LAN

    % ssh 192.168.0.34
    Last login: Tue Jan  3 06:16:07 2012 from 192.168.0.1

tcpdump of bridge0 of the gateway shows nothing except the target host
polling dropbox.com occasionally.  /etc/ipfw.rules is quite bland, and
the rest of the 15 machines on the LAN have no complaints.
    flush
    add deny log all from any to any ipoptions ssrr,lsrr,rr
    add pass all from any to any via lo0
    add deny log all from 127.0.0.0/8 to any
    add deny log all from any to 127.0.0.0/8
    add divert natd all from any to any via bridge0
    add deny tcp from any to me smtp
    add 65530 pass all from any to any

any clues on how i debug?

randy

---

hostname=gate0.psg.com
firewall_enable=YES
firewall_type=/etc/ipfw.rules
firewall_quiet=YES
firewall_logging=YES

ppp_enable=YES
ppp_mode=dedicated
ppp_profile=iij

wlans_ath0="wlan0 wlan1"
create_args_wlan0="wlanmode ap mode 11g channel 11 up"
cloned_interfaces=bridge0
ifconfig_bridge0="192.168.0.1 addm vr1 addm vr2 addm vr3 addm wlan0 addm wlan1 up"
ifconfig_vr1=up
ifconfig_vr2=up
ifconfig_vr3=up

hostapd_enable=YES

natd_enable=YES
natd_interface=bridge0
natd_flags="-redirect_port tcp 192.168.0.34:22 60022"

gateway_enable=YES

-30-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m239bx47ck.wl%randy>