Date: Mon, 06 Mar 2006 12:01:34 -0300 From: Tiago Cruz <tiagocruz@b4br.net> To: "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org>, Brian Candler <B.Candler@pobox.com> Subject: Re: Network client is the same from server Message-ID: <1141657294.25455.38.camel@localhost.localdomain> In-Reply-To: <20060201134633.GB78696@uk.tiscali.com> References: <1138387362.4742.9.camel@localhost.localdomain> <43DA6C6A.7050701@elischer.org> <1138390041.4742.19.camel@localhost.localdomain> <43DA8E70.2070804@elischer.org> <1138621574.18130.26.camel@localhost.localdomain> <43DE6030.4090702@elischer.org> <20060131123042.GA74812@uk.tiscali.com> <1138713557.25466.4.camel@localhost.localdomain> <43DFCBBC.7000206@elischer.org> <20060201134633.GB78696@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello all, I have some news about this subject: On Wed, 2006-02-01 at 13:46 +0000, Brian Candler wrote: > After: > > 192.168.0.0/24 192.168.0.0/24 > ------+---------- GW1 -------------------- GW2 -----+----------- > | [nat1] [nat2] | > X Y > > In this example, the sense of 'inbound' and 'outbound' is wrong for each > natd, which you might be able to fix using -reverse on both of them. > > Or: > > 192.168.0.0/24 192.168.0.0/24 > ------+---------- GW1 -------------------- GW2 -----+----------- > | [nat2] [nat1] | > X Y > > Here the in/out sense is the same, but now we're doing nat2's processing > before nat1's. Is that a problem? I think it is. > > * Packet from 192.168.0.1 to 192.168.200.1 > - at nat2: destination changed to 192.168.0.1 > - at nat1: source changed to 192.168.100.1 > > Trouble is that at the first step, the destination is now 192.168.0.1, which > means it will be delivered back to the local LAN instead of out of the > external interface. I did a lot of things in the last week: -> My LAN is 192.168.0.0/22 -> OpenVPN, route to clients: push "route 192.168.10.0 255.255.255.0" -> PF rules: binat on $vpn_if from 192.168.10.0/24 to any -> 192.168.0.0/24 binat on $vpn_if from 192.168.0.0/24 to any -> 192.168.10.0/24 In the notebook client, when I try to ping 192.168.10.19 (in the true, is the 192.168.0.19): 15:56:56.197170 IP 10.8.0.6 > 192.168.10.19: ICMP echo request, id 512, seq 5121, length 40 15:56:56.197779 IP 192.168.0.19 > 10.8.0.6: ICMP echo reply, id 512, seq 5121, length 40 My first ping is E.O.K (TTL=126) but all the others I don't have reply (75% lost). > OTOH, it might not be easy to make work with pf either. You should only need > two 'binat' rules, but I'm not sure how you go about reversing the in/out > sense. There's a separate freebsd-pf mailing list which might be able to > help. I've found a little bit of information in pf mailing, but I think that the problem is now with network mailing because my VPN Server is my CARP backup machine, and the state table is sincronized by pfsync with the CARP master (defaulf gateway of the machines). Maybe its because this tha only my fist ping works :-/ Can you help me please? Many thanks! -- Tiago Cruz http://linuxrapido.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1141657294.25455.38.camel>