Date: Wed, 15 Dec 2004 21:18:07 +0300 From: "Nickolay A. Kritsky" <nkritsky@star-sw.com> To: "Zeno Lee" <zeno_lee@hotmail.com> Cc: freebsd-net@freebsd.org Subject: Re: NAT works but port redirection does not work on IPNAT and PF Message-ID: <881219348812.20041215211807@star-sw.com> In-Reply-To: <BAY103-DAV984DB892C7096B96FC1E5E2AD0@phx.gbl> References: <BAY103-DAV984DB892C7096B96FC1E5E2AD0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Zeno, Check your default gateway on 192.168.1.54. It seems to be 192.168.1.1 instead of 192.168.168.55: 12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54 Wednesday, December 15, 2004, 9:10:21 PM, Zeno Lee wrote: ZL> It seems I've somehow didn't set up my freebsd gateway properly. I am ZL> trying to use my FreeBSD server as a NAT with port redirection. NAT works ZL> fine, but when I use port redirection to redirect requests from my external ZL> interface em0 160.79.174.98:80 the request makes it to my internal web ZL> server 192.168.1.54 but the response is not being returned back out to the ZL> requester. I've tried both PF and IPFILTER and they both have the same ZL> issue. ZL> Here is my setup: ZL> Internet ----- 24.215.185.142 (External web requester) ZL> | ZL> | ZL> em0 (160.79.174.98/29) ZL> FreeBSD 5.3 STABLE (PF, ALTQ compiled, gateway_enabled) ZL> em1 (192.168.1.55/24) ZL> | ZL> | ZL> LAN -- Web Server (192.168.1.54) ZL> | ZL> |---- NAT client (192.168.1.100) access internet ZL> fine ZL> I've done the dumps and ZL> # tcpdump -n -i em0 dst host 160.79.174.98 and tcp dst port 80 ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode ZL> listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes ZL> 12:51:57.118746 IP 24.215.185.142.1343 > 160.79.174.98.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> 12:52:00.153017 IP 24.215.185.142.1343 > 160.79.174.98.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> 12:52:06.167832 IP 24.215.185.142.1343 > 160.79.174.98.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> # tcpdump -n -i em1 host 192.168.1.54 ZL> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode ZL> listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes ZL> 12:51:57.118772 IP 24.215.185.142.1343 > 192.168.1.54.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> 12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54 ZL> 12:52:00.153045 IP 24.215.185.142.1343 > 192.168.1.54.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> 12:52:06.167855 IP 24.215.185.142.1343 > 192.168.1.54.80: S ZL> 2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK> ZL> I don't think my port forwarding setup in IPFILTER nor PF are the cause but ZL> I've listed it just in case ZL> /etc/pf.conf ZL> nat on em0 from em1:network to any -> (em0) ZL> rdr on em0 proto tcp from any to em0 port 80 -> 192.168.1.54 port 80 ZL> My IPFILTER rule is just as simple ZL> /etc/ipnat.conf ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 ZL> # ipnat -l ZL> List of active MAP/Redirect filters: ZL> rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 tcp ZL> map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto ZL> List of active sessions: ZL> RDR 192.168.1.54 80 <- -> 160.79.174.98 80 [24.215.185.142 1332] ZL> _______________________________________________ ZL> freebsd-net@freebsd.org mailing list ZL> http://lists.freebsd.org/mailman/listinfo/freebsd-net ZL> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Best regards, ; Nickolay A. Kritsky ; SysAdmin STAR Software LLC ; mailto:nkritsky@star-sw.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?881219348812.20041215211807>