From owner-freebsd-pf@FreeBSD.ORG Tue Jul 26 14:01:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA61C16A41F for ; Tue, 26 Jul 2005 14:01:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9B9D43D45 for ; Tue, 26 Jul 2005 14:01:27 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6QE1RWw024081 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 26 Jul 2005 16:01:27 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6QE1R1Y021992; Tue, 26 Jul 2005 16:01:27 +0200 (MEST) Date: Tue, 26 Jul 2005 16:01:26 +0200 From: Daniel Hartmeier To: Pejman Moghadam Message-ID: <20050726140126.GB20522@insomnia.benzedrine.cx> References: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050726125819.90822.qmail@web32406.mail.mud.yahoo.com> User-Agent: Mutt/1.5.6i Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:01:29 -0000 On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote: > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT with PF. > The problem is I can't ping the same machine on the internet from two or more different machines > on my LAN at the same time. only one of my LAN clients can ping that target, and pinging that > target from another station is possible only when i stop pinging from first client. > Is there any way or any tool that ICMP portmapping allows simultaneous connections to external > targets from multiple machines from the LAN? I don't believe you have actually tried this. >From one workstation (10.1.1.20) $ ping 199.185.137.3 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=218.693 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=211.615 ms [...] At the same time, from another workstation (10.2.2.11) $ ping 199.185.137.3 64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=195.604 ms 64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=194.387 ms On the gateway which does NAT for both # pfctl -ss | grep icmp kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0 kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 -> 199.185.137.3:19057 0:0 What looks like port numbers in the state is the ICMP ID, a number chosen randomly for one ping invokation. pf uses this to dispatch incoming replies from the external host to the appropriate internal host. Daniel