From owner-freebsd-net@FreeBSD.ORG Sat Jul 6 13:02:47 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 75C37F81; Sat, 6 Jul 2013 13:02:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id DA9BD1754; Sat, 6 Jul 2013 13:02:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r66D2a4M027697; Sat, 6 Jul 2013 23:02:36 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 6 Jul 2013 23:02:36 +1000 (EST) From: Ian Smith To: Sami Halabi Subject: Re: DNAT in freebsd In-Reply-To: <51D80193.5080401@grosbein.net> Message-ID: <20130706224310.R26496@sola.nimnet.asn.au> References: <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> <51D80193.5080401@grosbein.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org, Eugene Grosbein , freebsd-ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jul 2013 13:02:47 -0000 On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote: > On 06.07.2013 14:47, Sami Halabi wrote: > > Hi, > > Any hope? > > Have you used intedmediate "ipfw count log" rules between "ipfw nat" rules > I recommended? If yes, why have not you show that logs yet? > Include tcpdump output from external and internal interfaces too. Sami, this was very good advice. I'll go further and say add _lots_ of 'count log' rules before and after each nat rule, one each for packets you might expect from different sources of interest, and to different destinations expected from your nat mapping, and also the unexpected. Then run some test packets, afterwards running 'ipfw -t show' so you (and we) can clearly see which packets went which way and when. This may help debugging greatly; we need you to tell less, and show us more. Julian also put some time into a well detailed plan, based of course on assumptions reached with not a lot to go on; you should try using that, and feeding back some very specific results. cheers, Ian