From owner-freebsd-net@FreeBSD.ORG Tue Jan 3 06:40:12 2012 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D28FF106564A for ; Tue, 3 Jan 2012 06:40:12 +0000 (UTC) (envelope-from randy@psg.com) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by mx1.freebsd.org (Postfix) with ESMTP id B454C8FC0A for ; Tue, 3 Jan 2012 06:40:12 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1Rhy2e-0003Kz-Bm for freebsd-net@FreeBSD.org; Tue, 03 Jan 2012 06:40:12 +0000 Date: Tue, 03 Jan 2012 15:40:11 +0900 Message-ID: From: Randy Bush To: freebsd-net User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: Subject: how to debug non-working hole in nat X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2012 06:40:12 -0000 FreeBSD gate0.psg.com 8.2-STABLE FreeBSD 8.2-STABLE #8: Sat Dec 24 13:39:45 GMT 2011 root@gate0.psg.com:/usr/obj/usr/src/sys/GATE0 i386 i have a working natd setup and am trying to punch a hole in it for ssh to an internal host. .------------------------------. | | | b --wlan0| | r | 192.168.0.0/24 WAN IIJ | i --- vr1| LAN hosts, PPP/NAT ---|vr0[PPPoE][ppp]tun0--d | DHCP Clients | g --- vr2| ... | e | | 0 --- vr3| | | `------------------------------' i am trying to do it all in /etc/rc.conf, though i am not wedded to doing so. i will append the tasty bits. when tring to ssh in from outside, i get % ssh -p 60022 gate0 < long pause > ssh: connect to host gate0.psg.com port 60022: No route to host i have no problem sshing to the target host from within the LAN % ssh 192.168.0.34 Last login: Tue Jan 3 06:16:07 2012 from 192.168.0.1 tcpdump of bridge0 of the gateway shows nothing except the target host polling dropbox.com occasionally. /etc/ipfw.rules is quite bland, and the rest of the 15 machines on the LAN have no complaints. flush add deny log all from any to any ipoptions ssrr,lsrr,rr add pass all from any to any via lo0 add deny log all from 127.0.0.0/8 to any add deny log all from any to 127.0.0.0/8 add divert natd all from any to any via bridge0 add deny tcp from any to me smtp add 65530 pass all from any to any any clues on how i debug? randy --- hostname=gate0.psg.com firewall_enable=YES firewall_type=/etc/ipfw.rules firewall_quiet=YES firewall_logging=YES ppp_enable=YES ppp_mode=dedicated ppp_profile=iij wlans_ath0="wlan0 wlan1" create_args_wlan0="wlanmode ap mode 11g channel 11 up" cloned_interfaces=bridge0 ifconfig_bridge0="192.168.0.1 addm vr1 addm vr2 addm vr3 addm wlan0 addm wlan1 up" ifconfig_vr1=up ifconfig_vr2=up ifconfig_vr3=up hostapd_enable=YES natd_enable=YES natd_interface=bridge0 natd_flags="-redirect_port tcp 192.168.0.34:22 60022" gateway_enable=YES -30-