From owner-freebsd-questions Sat Feb 24 23:29:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205]) by hub.freebsd.org (Postfix) with SMTP id 1A15A37B401 for ; Sat, 24 Feb 2001 23:29:33 -0800 (PST) (envelope-from powers@b2pi.com) Received: (qmail 11702 invoked from network); 25 Feb 2001 07:29:32 -0000 Received: from unknown (HELO Sophie.B2Pi.com) ([216.254.64.186]) (envelope-sender ) by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 25 Feb 2001 07:29:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15000.46171.122193.363607@Sophie.B2Pi.com> Date: Sun, 25 Feb 2001 02:29:31 -0500 (EST) From: Brent B.Powers To: cjclark@alum.mit.edu Cc: "Brent B.Powers" , freebsd-questions@FreeBSD.ORG Subject: Re: With natd server, can't hit my own static IP's In-Reply-To: <20010221004746.Y62368@rfx-216-196-73-168.users.reflex> References: <20010221004746.Y62368@rfx-216-196-73-168.users.reflex> X-Mailer: VM 6.72 under 21.2 (beta34) "Molpe" XEmacs Lucid Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Warning: Long unwrapped lines follow below..... >>>>> "Crist" == Crist J Clark writes: Crist> On Tue, Feb 20, 2001 at 09:59:52PM -0800, Brent B.Powers wrote: [snip] > | | |-- 192.168.1.0 > | | | > | alias xxx.xxx.xxx.0 | |-- 192.168.1.1 > | alias xxx.xxx.xxx.1 | | > | alias xxx.xxx.xxx.2 | |-- 192.168.1.2 > | alias xxx.xxx.xxx.3 | | > | alias xxx.xxx.xxx.4 | |-- 192.168.1.3 > | alias xxx.xxx.xxx.5 | | > | alias xxx.xxx.xxx.6 | |-- 192.168.1.4 > [INET] --- | DE0 xxx.xxx.xxx.7 RL0 |----[]-| > | | |-- 192.168.1.5 > | | | > | | |-- 192.168.1.6 > | | | > | | |-- 192.168.1.7 > > Unfortunately, I've just noticed that I can't get to my own servers, > i.e. If I'm sitting at the console of, say, 192.168.1.4, and the whole > world knows that my webserver is at xxx.xxx.xxx.6. However, I can't > get there. If I try to touch anything other than .7, I get .7 (so my > webserver isn't found, for instance). Crist> *groan* Another natd(8) one I should write up for the Crist> FAQ... Too late to do it tonight. I am pretty sure this one Crist> is at one of the independent websites, graveconcern, Crist> bsddiary? I've actually searched at bsddiary, but didn't find anything that seems to apply, and although I'd not heard of mostgraveconcern, I also didn't find anything relevant there, or within defcon1. I know when I was last on this list, there was talk of setting up a basic networking and NAT faq, but I saw no reference to it at freebsd.org, nor does the main freebsd FAQ contain anything pertaining to this problem Crist> There are two main approaches, split-DNS or running another Crist> natd(8) (or similar program) on the internal Crist> interface. Split-DNS means your internal machines will see Crist> hostnames already mapped to the internal IPs. To run another Crist> natd(8), run another instance of natd on the internal interface Crist> diverting to a different port. e.g., SplitDNS seems like a maintenance nightmare. I had tried, btw, setting up an internal only natd before, but changing the port has been a head-slapping, 'doh' experience ...So: It turns out the redirect commands are the same for either side of the natd, so, with the exception of the interface and port (which were on the command line anyway, the natd config files are the same. Thus the commands (on the gateway box, with a debug firewall) (TBird)/etc[16]#/bin/sh /etc/rc.firewall Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00340 divert 8668 ip from any to any via de0 00350 divert 8669 ip from 192.168.1.0/24 to 216.254.64.0/24 via rl0 65000 allow ip from any to any (TBird)/etc[17]#/sbin/natd -config /etc/natd.conf -port 8669 -n rl0 -v natd[26563]: Aliasing to 192.168.1.1, mtu 1500 bytes In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to [ICMP] 192.168.1.188 -> 192.168.1.186 8(0) In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to [ICMP] 192.168.1.188 -> 192.168.1.186 8(0) In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to [ICMP] 192.168.1.188 -> 192.168.1.186 8(0) In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to [TCP] 192.168.1.188:1049 -> 192.168.1.186:21 In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to [TCP] 192.168.1.188:1049 -> 192.168.1.186:21 In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to [TCP] 192.168.1.188:1049 -> 192.168.1.186:21 At the same time, as you can see, from a second machine (lists, 188), I pinged a third (sophie, 186). When that worked, I tried an ftp over to sophie, and got back nothing.... [root@lists /root]# ping -c 3 -n 216.254.64.186 PING 216.254.64.186 (216.254.64.186) from 192.168.1.188 : 56(84) bytes of data. From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186) 64 bytes from 192.168.1.186: icmp_seq=0 ttl=255 time=2.0 ms From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186) 64 bytes from 192.168.1.186: icmp_seq=1 ttl=255 time=1.2 ms From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186) 64 bytes from 192.168.1.186: icmp_seq=2 ttl=255 time=1.1 ms --- 216.254.64.186 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 1.1/1.4/2.0 ms [root@lists /root]# ftp 216.254.64.186 ^C http access gave me the same results. I tried, then to see what sophie (186) was getting via tcpdump: (Sophie)/var/log[34]#tcpdump -n '(src host 192.168.1.188 or src host 192.168.1.186 or src host 192.168.1.1) and (dst host 192.168.1.188 or dst host 192.168.1.186 or dst host 192.168.1.1) and not port ssh' Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on all devices 02:27:36.771503 eth0 B arp who-has 192.168.1.186 tell 192.168.1.1 02:27:36.771736 eth0 > arp reply 192.168.1.186 (8:0:20:1d:f2:2b) is-at 8:0:20:1d:f2:2b (0:50:bf:1c:46:b0) 02:27:36.772060 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request 02:27:36.772253 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply 02:27:37.761512 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request 02:27:37.761746 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply 02:27:38.761383 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request 02:27:38.761609 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply 02:27:41.810081 eth0 > arp who-has 192.168.1.1 tell 192.168.1.186 (8:0:20:1d:f2:2b) 02:27:41.810376 eth0 < arp reply 192.168.1.1 is-at 0:50:bf:1c:46:b0 (8:0:20:1d:f2:2b) 02:27:52.057370 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 (DF) 02:27:52.059220 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 696098068:696098068(0) ack 743268913 win 32120 (DF) 02:27:52.059482 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0 02:27:55.049682 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 (DF) 02:27:55.040021 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 699090422:699090422(0) ack 743268913 win 32120 (DF) 02:27:55.050276 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0 02:28:01.049229 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 (DF) 02:28:01.049533 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 705089966:705089966(0) ack 743268913 win 32120 (DF) 02:28:01.049800 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0 19 packets received by filter (Sophie)/var/log[35]# So, What does this come down to.... My current theories have something to do with climbing a taller tree to get to the moon, but, why is the target machine showing packets as coming from lists, when they've been translated, and should be coming thorugh as though they were coming via the nat machine (.1)... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message