From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:23:56 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92B61106566C for ; Tue, 23 Aug 2011 10:23:56 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1995C8FC15 for ; Tue, 23 Aug 2011 10:23:55 +0000 (UTC) Received: by fxe4 with SMTP id 4so185602fxe.13 for ; Tue, 23 Aug 2011 03:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+se94RprrQsVR1CHj25A04wW1qneiZkknhvp96Si/MQ=; b=u065+hIlYrmEVmpSAfGZ1jZJCZRqBQ9qfqAUJsLCZd4CmqI0CuNhZHMxAY+UCiJLZe N4CyioHvInKelLXoTlS8L6HgMmUpvaXf0cw+9H2g84/F1uK6orLh1dm/ryCn2x6kHbqO ET805WobXozCdcHByYQKIKspD9MQRLWqf8UtU= Received: by 10.223.55.205 with SMTP id v13mr5233919fag.88.1314095034919; Tue, 23 Aug 2011 03:23:54 -0700 (PDT) Received: from [192.168.32.109] (dynamic-78-8-54-71.ssp.dialog.net.pl [78.8.54.71]) by mx.google.com with ESMTPS id c5sm19240fai.20.2011.08.23.03.23.52 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Aug 2011 03:23:53 -0700 (PDT) Message-ID: <4E537FB6.7000100@gmail.com> Date: Tue, 23 Aug 2011 12:23:50 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:23:56 -0000 W dniu 23.08.2011 11:48, Sara Khanchi pisze: >>> lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- >>> upstream(172.16.10.x/16) >>> nat pool address: 172.16.10.1-172.16.10.63 >>> nat pool address is on the same network of upstream device. >>> >>> May be I don't understand you well. in your first post you've mentioned >>> that >>> I should define an static route on upstream device so it would send >>> packets >>> destined for natted address to the gw. In this post you've talked about >>> defining static route on gw to the upstream? could you explain me more >>> about >>> your suggestion of using static routes instead of proxy-arp solution? >>> >>> however, in the above topology, there is no need to define a static route >>> on >>> upstream device (they are on the same network) in normal condition so it >>> should be applicable when nat is used on gw, right? what's the solution >>> then? >>> ______________________________**_________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >>> " >>> >> I completely don't see the point of using arp-proxy at all. Can you enlight >> me ? You need to connect two networks, also is there any point of using nat >> also ? Instead of just to route traffic between them, unless one of them is >> Internet or some MAN/WAN network. >> >> As Olli mentioned, you need to add route if you don't want put nat address >> on the interface. I don't know any ARP proxy software for freebsd, because >> I've never used. So, ok, if Olli was that kind to clear things out, seems to >> have better experience in that matters. >> >> Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me >> with Cc to list" in your mail client :-) Or just send back to >> freebsd-pf@freebsd.org. Thanks. >> >> >> reebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> >> ______________________________**_________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> > > I've just put an example in previous post to clarify my purpose. The gw > system in the sample, is possibly a stub router connects a network to lets > say, internet. What I actually want to figure out is that when I define nat > on the stub router, without any need to define static routes on other > systems, would it be possible to get nat works properly as what happens in > cisco stub router using nat? it seems that automatically makes arp proxy. But this is.. an extra. Actually not necesarry, unless you badly want arping everyone and L2 access between networks. Cisco is sooo pro. Don't be surprised that opensource word doesn't have "out-of-the box features", which are provided by Cisco, to be "more pro". > According what is discussed here, I believe the only way is to use arp-proxy > for the pool addresses. In this way, there is no difference for other > systems that stub router is using nat or not? It's the duty of nat router to > handle the consequences of natting (reply to responses to the natted > addresses that are not available really). I think may be adding entries to > arp table using arp command do the proxy-arping. if host ask for reverse arp, like, ok I got in my arp table address xx:xx:xx:xx:xx:xx (hex symbols only ;) ). It came from different network, but, I still got because there was some arp proxy magic. If not, the packet got IP address from the right host and MAC from gateway. What a big deal ? This is how it works. For a purpose of network scanning/monitoring between two networks, of course, arp proxy would be helpful, because in other way, you cannot definitely say that host is on/off. But for that reason ICMP protocol was created to make the hosts respond on layer 3. If hosts does not respond to echo request, the nearest gateway/router can send ICMP packet back "Destination host unreachable". Depending on router firewall behaviour. For example, some "strange network operator", set static arp of router (79.110.195.x ) for unused IP, here is the example. What happens then: $ ping 79.110.199.y PING 79.110.199.y (79.110.199.y) 56(84) bytes of data. From 79.110.195.x icmp_seq=1 Time to live exceeded From 79.110.195.x icmp_seq=2 Time to live exceeded From 79.110.195.x icmp_seq=3 Time to live exceeded From 79.110.195.x icmp_seq=4 Time to live exceeded The packets are looped on router until TTL falls down to zero. > As I understand and not sure my understanding is correct, Olli suggests to > define static routes on upstream router to send packets destined for pool > addresses to the gw. In this scenario, the nat process is not transparent > any more and the upstream system should be aware of it and supports it by > adding static routes which is undesirable. I don't think so, why NAT *must* be transparent ? Look at the Internet, how do you know that some public IP address either PI or PA is gateway or the leaf on the network tree. Unless you own/manage both sides of nat you make them behave the most desired way. > > p.s. I've used the "reply all" button in gmail and it sets the to and cc > fields itself. sorry if this bothers you. I will take care of it :) In mailing list, you just use answer, because everyone will get it, because mailing list software will "spread the word" through all subscribed :-) I don't use gmail webclient on daily basis, but I assumed that clicking "Answer" to mail like mein now will add the "freebsd-pf@freebsd.org" address (only!) as a receiver straight away. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"