From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 08:13:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65443106566C for ; Sun, 21 Aug 2011 08:13:17 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 417B08FC13 for ; Sun, 21 Aug 2011 08:13:17 +0000 (UTC) Received: by pzk33 with SMTP id 33so13233871pzk.18 for ; Sun, 21 Aug 2011 01:13:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=tI0s1+qiyC1S9dUUO47wdhrZv26ZkvsuvZHRqp0yUmA=; b=NTbF6OBzDDn1pDxJk/NojJiLvCqXXnVvLWqaZP7/xQUBMUJuiBUaq5RC2RKJ8XhZNg hPWZ9q/PDjzHgOBmktFWHyVwsakKIc1MBiQapd/twer+ghl613QO7owKgEd2H5w6pxpB N2uK8RoGRn8X/L2JvZKCc59Wn6buDa/zlXjPY= MIME-Version: 1.0 Received: by 10.142.210.21 with SMTP id i21mr870585wfg.190.1313912904622; Sun, 21 Aug 2011 00:48:24 -0700 (PDT) Sender: s.khanchi@gmail.com Received: by 10.142.53.6 with HTTP; Sun, 21 Aug 2011 00:48:24 -0700 (PDT) Date: Sun, 21 Aug 2011 12:18:24 +0430 X-Google-Sender-Auth: hQhit-mraw39dLSt_Mi9HaOUQOc Message-ID: From: h bagade To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 08:13:17 -0000 Hi all, I am trying to use pf nat rules with pool support on FreeBsd 8.0, working together with ipfw as the main firewall. According to the natting concepts i faced in manuals and docs, nat concept is to map the source address to the natted address when sending the packets from that source and then map the destination address of the related reply packets. but when I define pf nat rules with a pool of IP addresses not available on the outside interface ip addresses, the outgoing traffic is natted to one of the pool addresses but the response is not received via that interface so the pf can map the destination address to the real one. here is one of my configs i used during my tests: *configurations:* *pf.conf:* nat on eth1 from { 11.11.11.0/24} to any -> {172.16.10.1,172.16.10.2,172. 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} main system configurations: eth0: 11.11.11.1 eth1: 172.16.10.64 system A: directly connected to eth0- 11.11.11.11 system B: directly connected to eth1- 172.16.10.65 in this configs the dafult route of system A and system B are the middle systems connected ip address. as mentioned, when systemA pings systemB, the ping requests are natted to 172.16.10.1 and received at systemB but systemB doesn't send icmp replies because it doesn't know to whom it should send the replies (no answer to system B 's ARP requests about who has the natted IP). now my question is, isn't it the pf nat responsibilty to manage this condition and send the ARP replies to SystemB? or, are my configs wrong? or i misunderstood the nat concepts? any ideas or helps are really appreciated as i have to set this nat on my main system, asap. Thanks in advance. From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 09:31:28 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44D1C106564A for ; Sun, 21 Aug 2011 09:31:28 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id C80088FC08 for ; Sun, 21 Aug 2011 09:31:27 +0000 (UTC) Received: by fxe4 with SMTP id 4so3665677fxe.13 for ; Sun, 21 Aug 2011 02:31:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=K1n/slZQCLMJv0hGC52W7rpKXlbqeS3BWqpkW42IFeI=; b=IUvsH0MnUDAMbBmolKHcrT8Q+kMx65UCEy6p7DDSj0pWYsPo7KbWoYPKmorPn2iAuf 6/CorJ2UwUdAU/A6f9JaXNh6sSJqN2pngzxoFXodTz4xQADmm5+ylst/SIRd2FlddqE0 r6ab8w7EaZQlOQVfZarYs66lHFrmk7r6Gt0xY= Received: by 10.223.23.6 with SMTP id p6mr1838097fab.112.1313917756110; Sun, 21 Aug 2011 02:09:16 -0700 (PDT) Received: from [192.168.32.109] (dynamic-78-8-236-218.ssp.dialog.net.pl [78.8.236.218]) by mx.google.com with ESMTPS id r11sm3362710faa.24.2011.08.21.02.09.14 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 21 Aug 2011 02:09:15 -0700 (PDT) Message-ID: <4E50CB38.1050204@gmail.com> Date: Sun, 21 Aug 2011 11:09:12 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 09:31:28 -0000 W dniu 21.08.2011 09:48, h bagade pisze: > Hi all, > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > together with ipfw as the main firewall. According to the natting concepts i > faced in manuals and docs, nat concept is to map the source address to the > natted address when sending the packets from that source and then map the > destination address of the related reply packets. > > but when I define pf nat rules with a pool of IP addresses not available on > the outside interface ip addresses, the outgoing traffic is natted to one of > the pool addresses but the response is not received via that interface so > the pf can map the destination address to the real one. here is one of my > configs i used during my tests: > > *configurations:* > *pf.conf:* > nat on eth1 from { 11.11.11.0/24} to any -> > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > main system configurations: > eth0: 11.11.11.1 > eth1: 172.16.10.64 > > system A: directly connected to eth0- 11.11.11.11 > system B: directly connected to eth1- 172.16.10.65 > > in this configs the dafult route of system A and system B are the middle > systems connected ip address. > > as mentioned, when systemA pings systemB, the ping requests are natted to > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > because it doesn't know to whom it should send the replies (no answer to > system B 's ARP requests about who has the natted IP). Man, ok, let's start from the beginning: these are your nat adresses {172.16.10.1,172.16.10.2,172. 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} But none of them is set on your routing/natting system interface, come on :-D How can it receive response over link layer (L2) if doesn't have IP which is substited to make packets get back to. If you are doing nat to 172.16.10.1, you should have 172.16.10.1 on your auxiliary interface , not 172.16.10.64. Or propably you could make nat like i.e. .... -> {172.16.10.0/24, ... } , but I have never tried it like that. > > now my question is, isn't it the pf nat responsibilty to manage this > condition and send the ARP replies to SystemB? Hell no, ARP replies ? man this is link layer, ARP is from link layer. To have ARP response (NOT PING, ping is layer 3, IP layer) both side must share the same network, natting can see the ARP from both sides , but systemA and SystemB between each other can't. > or, are my configs wrong? > or i misunderstood the nat concepts? You should have some reading, there are more than one, so called NAT techniques. In PF , in your situation, when packet is going out from systemA to systemB, the source address in switched to NAT machine's and , in case of port-enabled protocol, like TCP and UDP the random port is choosen and waiting for response on that port. When it comes from system B is rightaway redirected to systemA. I don't know how it works in ICMP (i.e. ping), it's in some way "remembered", who is waiting for response. > any ideas or helps are really appreciated as i have to set this nat on my > main system, asap. > Thanks in advance. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 10:10:31 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1294D106566B for ; Sun, 21 Aug 2011 10:10:31 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id C4C1D8FC0C for ; Sun, 21 Aug 2011 10:10:30 +0000 (UTC) Received: by yib19 with SMTP id 19so3458595yib.13 for ; Sun, 21 Aug 2011 03:10:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YD7CJt5b4KRleS+aSJm/vw0WuGpmsExgGyXeBe68mGY=; b=CI9ABjYWYvo3Mz6l0OrLyuEvs+WMKfQ2V17ieOXoTpmUppkYv07L5QPzm+Y2fv6aHn UtodEIcg91+inoFVqH/i6AWfjC8SJXTSbA1FOeYfjIrdSzE4qhbcaWj1yUee2SNo5yIz r4tk8h2fBgc92gsX/jCDem4G5dbRisy5Gw2Zk= MIME-Version: 1.0 Received: by 10.142.210.21 with SMTP id i21mr937988wfg.190.1313921429432; Sun, 21 Aug 2011 03:10:29 -0700 (PDT) Received: by 10.142.53.6 with HTTP; Sun, 21 Aug 2011 03:10:29 -0700 (PDT) In-Reply-To: <4E50CB38.1050204@gmail.com> References: <4E50CB38.1050204@gmail.com> Date: Sun, 21 Aug 2011 14:40:29 +0430 Message-ID: From: Sara Khanchi To: "Bartek W. aka Mastier" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 10:10:31 -0000 Thanks for your detailed response. It solved my questions about how nat works in pf. Based on your answer the nat pool addresses must be defined on external interfaces and it is not the responsibility of nat itself to do these assignments. It seems rational. what makes me confused and made me to ask the question here, is that in cisco configuration, there is no ip assigned to external interfaces and just by defining the pool addresses and defining nat on inside source addresses to the pool addresses, the nat works fine! I've put a sample of cisco configs in the following. *here is the cisco config:* --------------------------------------------------------------------------- interface GigabitEthernet0/0 ip address 11.11.11.1 255.255.255.0 ip nat inside #inside interface ! interface GigabitEthernet0/1 ip address 172.16.10.64 255.255.255.0 ip nat outside #outside interface ip nat pool test 172.16.10.1 172.16.10.63 prefix-length 24 #define the pool of addresses ip nat inside source list 7 pool test #apply nat on access-list 7 ip addresses ! access-list 7 permit 11.11.11.0 0.0.0.31 #determine which ip addresses should be natted on the way outside --------------------------------------------------------------------------- As you see there is no ip assigned in the range 172.16.10.1-172.16.10.63 on the outside interface but the traffic is natted on the way outside and the responses are received on GigabitEthernet0/1 and the reverse nat is done. Do you have any idea what happens in cisco natting process? what should I do to simulate cisco nat procedure? Should I handle this situation manually apart from pf nat routine? On Sun, Aug 21, 2011 at 1:39 PM, Bartek W. aka Mastier wrote: > W dniu 21.08.2011 09:48, h bagade pisze: > > Hi all, >> >> I am trying to use pf nat rules with pool support on FreeBsd 8.0, working >> together with ipfw as the main firewall. According to the natting concepts >> i >> faced in manuals and docs, nat concept is to map the source address to the >> natted address when sending the packets from that source and then map the >> destination address of the related reply packets. >> >> but when I define pf nat rules with a pool of IP addresses not available >> on >> the outside interface ip addresses, the outgoing traffic is natted to one >> of >> the pool addresses but the response is not received via that interface so >> the pf can map the destination address to the real one. here is one of my >> configs i used during my tests: >> >> *configurations:* >> *pf.conf:* >> nat on eth1 from { 11.11.11.0/24} to any -> >> {172.16.10.1,172.16.10.2,172. >> 16.10.3,172.16.10.4,172.16.10.**5,172.16.10.6,172.16.10.7,172.** >> 16.10.8,172.16.10.9,172.16.10.**10} >> >> main system configurations: >> eth0: 11.11.11.1 >> eth1: 172.16.10.64 >> >> system A: directly connected to eth0- 11.11.11.11 >> system B: directly connected to eth1- 172.16.10.65 >> >> in this configs the dafult route of system A and system B are the middle >> systems connected ip address. >> >> as mentioned, when systemA pings systemB, the ping requests are natted to >> 172.16.10.1 and received at systemB but systemB doesn't send icmp replies >> because it doesn't know to whom it should send the replies (no answer to >> system B 's ARP requests about who has the natted IP). >> > > Man, ok, let's start from the beginning: these are your nat adresses > > > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.**5,172.16.10.6,172.16.10.7,172.** > 16.10.8,172.16.10.9,172.16.10.**10} > > But none of them is set on your routing/natting system interface, come on > :-D How can it receive response over link layer (L2) if doesn't have IP > which is substited to make packets get back to. If you are doing nat to > 172.16.10.1, you should have 172.16.10.1 on your auxiliary interface , not > 172.16.10.64. Or propably you could make nat like i.e. .... -> { > 172.16.10.0/24, ... } , but I have never tried it like that. > > >> now my question is, isn't it the pf nat responsibilty to manage this >> condition and send the ARP replies to SystemB? >> > > Hell no, ARP replies ? man this is link layer, ARP is from link layer. To > have ARP response (NOT PING, ping is layer 3, IP layer) both side must share > the same network, natting can see the ARP from both sides , but systemA and > SystemB between each other can't. > > > or, are my configs wrong? >> or i misunderstood the nat concepts? >> > > You should have some reading, there are more than one, so called NAT > techniques. In PF , in your situation, when packet is going out from systemA > to systemB, the source address in switched to NAT machine's and , in case of > port-enabled protocol, like TCP and UDP the random port is choosen and > waiting for response on that port. When it comes from system B is rightaway > redirected to systemA. I don't know how it works in ICMP (i.e. ping), it's > in some way "remembered", who is waiting for response. > > any ideas or helps are really appreciated as i have to set this nat on my >> main system, asap. >> Thanks in advance. >> ______________________________**_________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> > > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 11:21:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4414E1065670 for ; Sun, 21 Aug 2011 11:21:26 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 921658FC08 for ; Sun, 21 Aug 2011 11:21:25 +0000 (UTC) Received: by fxe4 with SMTP id 4so3701988fxe.13 for ; Sun, 21 Aug 2011 04:21:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=xu4y3uSUG6Z/XeC0gM9LZhe+Hh/UNxtrwAre0Idqfsg=; b=c+8ypg6mH+R9TgQI3mdGolcn30bmuFFluSv4hCbPAF9wwROD0S4LbfLj53sN/S18F5 MSXIEMkskPBBJ8u9ih71FfBPm+jnaLf2PVlb3Ism1YsFAk5/WbtVNHEsfBjmIl0ctUvy nGv3yVfMZ9AJWoSawxuHKaKDtlqv8MRq/lMaw= Received: by 10.223.58.13 with SMTP id e13mr2018481fah.80.1313925684193; Sun, 21 Aug 2011 04:21:24 -0700 (PDT) Received: from [192.168.32.109] (dynamic-78-8-53-25.ssp.dialog.net.pl [78.8.53.25]) by mx.google.com with ESMTPS id 16sm4162885faw.42.2011.08.21.04.21.21 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 21 Aug 2011 04:21:23 -0700 (PDT) Message-ID: <4E50EA30.8070706@gmail.com> Date: Sun, 21 Aug 2011 13:21:20 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: Sara Khanchi References: <4E50CB38.1050204@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 11:21:26 -0000 W dniu 21.08.2011 12:10, Sara Khanchi pisze: > Thanks for your detailed response. It solved my questions about how > nat works in pf. Based on your answer the nat pool addresses must be > defined on external interfaces and it is not the responsibility of nat > itself to do these assignments. It seems rational. > > what makes me confused and made me to ask the question here, is that > in cisco configuration, there is no ip assigned to external interfaces > and just by defining the pool addresses and defining nat on inside > source addresses to the pool addresses, the nat works fine! I've put a > sample of cisco configs in the following. > > *here is the cisco config:* > --------------------------------------------------------------------------- > interface GigabitEthernet0/0 > ip address 11.11.11.1 255.255.255.0 > ip nat inside #inside interface > ! > interface GigabitEthernet0/1 > ip address 172.16.10.64 255.255.255.0 > ip nat outside #outside interface > > ip nat pool test 172.16.10.1 172.16.10.63 prefix-length 24 #define the > pool of addresses > ip nat inside source list 7 pool test #apply nat on access-list 7 ip > addresses > ! > access-list 7 permit 11.11.11.0 0.0.0.31 #determine which ip addresses > should be natted on the way outside > --------------------------------------------------------------------------- > > As you see there is no ip assigned in the range > 172.16.10.1-172.16.10.63 on the outside interface but the traffic is > natted on the way outside and the responses are received on > GigabitEthernet0/1 and the reverse nat is done. > > Do you have any idea what happens in cisco natting process? what > should I do to simulate cisco nat procedure? Should I handle this > situation manually apart from pf nat routine? > Actually, I'm more familiar with *BSD and Linux system. AFAIK, Cisco makes some magic (which is IMHO weird), like binding to listen to address not attached to any interface, and the rest works as I specified. I think it should be the address on the interface, because it breaks network integrity. Imagine that some one puts a machine in network with that address, because of not knowing that nat machines replies on that address (maybe not, maybe only replies when the packet is coming back in stateful firewall). Now I do understand your situation. Actually I don't see any point in giving the pool of nat addresses. Maybe for ISP it is convenient if their clients are behind nat, and some of them messed something up and address is locked down for sending spam etc. Then it might be excluded from nat pool, which is cool. In my experience as a sysadmin, I suspect it might be nice feature. I haven't heard of convenient handling nat pool in *bsd and linux, sorry :-) Maybe someone else will give you some tips. I would like to also learn something from it. > > On Sun, Aug 21, 2011 at 1:39 PM, Bartek W. aka Mastier > > wrote: > > W dniu 21.08.2011 09:48, h bagade pisze: > > Hi all, > > I am trying to use pf nat rules with pool support on FreeBsd > 8.0, working > together with ipfw as the main firewall. According to the > natting concepts i > faced in manuals and docs, nat concept is to map the source > address to the > natted address when sending the packets from that source and > then map the > destination address of the related reply packets. > > but when I define pf nat rules with a pool of IP addresses not > available on > the outside interface ip addresses, the outgoing traffic is > natted to one of > the pool addresses but the response is not received via that > interface so > the pf can map the destination address to the real one. here > is one of my > configs i used during my tests: > > *configurations:* > *pf.conf:* > nat on eth1 from { 11.11.11.0/24 } to any -> > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > main system configurations: > eth0: 11.11.11.1 > eth1: 172.16.10.64 > > system A: directly connected to eth0- 11.11.11.11 > system B: directly connected to eth1- 172.16.10.65 > > in this configs the dafult route of system A and system B are > the middle > systems connected ip address. > > as mentioned, when systemA pings systemB, the ping requests > are natted to > 172.16.10.1 and received at systemB but systemB doesn't send > icmp replies > because it doesn't know to whom it should send the replies (no > answer to > system B 's ARP requests about who has the natted IP). > > > Man, ok, let's start from the beginning: these are your nat adresses > > > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > But none of them is set on your routing/natting system interface, > come on :-D How can it receive response over link layer (L2) if > doesn't have IP which is substited to make packets get back to. If > you are doing nat to 172.16.10.1, you should have 172.16.10.1 on > your auxiliary interface , not 172.16.10.64. Or propably you could > make nat like i.e. .... -> {172.16.10.0/24 > , ... } , but I have never tried it like that. > > > now my question is, isn't it the pf nat responsibilty to > manage this > condition and send the ARP replies to SystemB? > > > Hell no, ARP replies ? man this is link layer, ARP is from link > layer. To have ARP response (NOT PING, ping is layer 3, IP layer) > both side must share the same network, natting can see the ARP > from both sides , but systemA and SystemB between each other can't. > > > or, are my configs wrong? > or i misunderstood the nat concepts? > > > You should have some reading, there are more than one, so called > NAT techniques. In PF , in your situation, when packet is going > out from systemA to systemB, the source address in switched to NAT > machine's and , in case of port-enabled protocol, like TCP and UDP > the random port is choosen and waiting for response on that port. > When it comes from system B is rightaway redirected to systemA. I > don't know how it works in ICMP (i.e. ping), it's in some way > "remembered", who is waiting for response. > > any ideas or helps are really appreciated as i have to set > this nat on my > main system, asap. > Thanks in advance. > _______________________________________________ > freebsd-pf@freebsd.org mailing > list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org > " > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to > "freebsd-pf-unsubscribe@freebsd.org > " > > From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 14:07:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F11D91065670 for ; Sun, 21 Aug 2011 14:07:47 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 65AF18FC13 for ; Sun, 21 Aug 2011 14:07:47 +0000 (UTC) Received: (qmail invoked by alias); 21 Aug 2011 13:41:05 -0000 Received: from p578be941.dip0.t-ipconnect.de (EHLO [192.168.0.100]) [87.139.233.65] by mail.gmx.net (mp025) with SMTP; 21 Aug 2011 15:41:05 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18GwtgTROAGYlxhyTxwMjlBz/AypkYcZexZxVfn09 fua1fvtht1XI/l Message-ID: <4E510AF8.9090009@gmx.de> Date: Sun, 21 Aug 2011 15:41:12 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: h bagade References: In-Reply-To: X-Enigmail-Version: 1.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 14:07:48 -0000 On 2011-08-21 09:48, h bagade wrote: > Hi all, > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > together with ipfw as the main firewall. According to the natting concepts i > faced in manuals and docs, nat concept is to map the source address to the > natted address when sending the packets from that source and then map the > destination address of the related reply packets. > > but when I define pf nat rules with a pool of IP addresses not available on > the outside interface ip addresses, the outgoing traffic is natted to one of > the pool addresses but the response is not received via that interface so > the pf can map the destination address to the real one. here is one of my > configs i used during my tests: > > *configurations:* > *pf.conf:* > nat on eth1 from { 11.11.11.0/24} to any -> > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > main system configurations: > eth0: 11.11.11.1 > eth1: 172.16.10.64 > > system A: directly connected to eth0- 11.11.11.11 > system B: directly connected to eth1- 172.16.10.65 > > in this configs the dafult route of system A and system B are the middle > systems connected ip address. > > as mentioned, when systemA pings systemB, the ping requests are natted to > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > because it doesn't know to whom it should send the replies (no answer to > system B 's ARP requests about who has the natted IP). > > now my question is, isn't it the pf nat responsibilty to manage this > condition and send the ARP replies to SystemB? > or, are my configs wrong? > or i misunderstood the nat concepts? > > any ideas or helps are really appreciated as i have to set this nat on my > main system, asap. > Thanks in advance. Nothing magic, Professional Firefall products do offer mostly to create an automatic proxy arp or do this without your notice. The better way is to create a route on the upstream router, this way you get all the traffic without silly arp broadcasts. The following route on the peer should solve your problem route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 02:45:43 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5849106566B; Mon, 22 Aug 2011 02:45:43 +0000 (UTC) (envelope-from peter.jeremy@alcatel-lucent.com) Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by mx1.freebsd.org (Postfix) with ESMTP id 846568FC1E; Mon, 22 Aug 2011 02:45:43 +0000 (UTC) Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id p7M2VK2B007473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 21 Aug 2011 21:31:20 -0500 (CDT) Received: from unixmail.au.alcatel-lucent.com (unixmail.au.alcatel-lucent.com [139.188.42.130]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p7M2VGad030266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 21 Aug 2011 21:31:19 -0500 Received: from insmb.au.alcatel-lucent.com (insmb.au.alcatel-lucent.com [139.188.42.184]) by unixmail.au.alcatel-lucent.com (8.13.8+Sun/8.13.3) with ESMTP id p7M2VFxm005629; Mon, 22 Aug 2011 12:31:15 +1000 (EST) Received: from pjdesk.au.alcatel-lucent.com (pjdesk.au.alcatel-lucent.com [139.188.2.2]) by insmb.au.alcatel-lucent.com (8.13.8+Sun/8.13.8) with ESMTP id p7M2NiSa011209; Mon, 22 Aug 2011 12:23:45 +1000 (EST) X-Bogosity: Ham, spamicity=0.000000 Received: from pjdesk.au.alcatel-lucent.com (localhost [127.0.0.1]) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4) with ESMTP id p7M2NbcK027803; Mon, 22 Aug 2011 12:23:37 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Received: (from pjeremy@localhost) by pjdesk.au.alcatel-lucent.com (8.14.4/8.14.4/Submit) id p7M2NaIX027802; Mon, 22 Aug 2011 12:23:36 +1000 (EST) (envelope-from peter.jeremy@alcatel-lucent.com) Date: Mon, 22 Aug 2011 12:23:36 +1000 From: Peter Jeremy To: Ermal =?iso-8859-1?Q?Lu=E7i?= Message-ID: <20110822022336.GL6142@pjdesk.au.alcatel-lucent.com> References: <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> <20110713010029.GE65891@pjdesk.au.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C94crkcyjafcjHxo" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12 Cc: "freebsd-pf@freebsd.org" Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2011 02:45:43 -0000 --C94crkcyjafcjHxo Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [This is fairly old but has recently bubbled to the top of my TODO list] On 2011-Jul-13 23:35:44 +0800, Ermal Lu=E7i wrote: >I reverted back from having the pipes configured in pfctl because it >will be a catching game with ipfw. >To me it seems quite awkward that you cannot use ipfw to do all the >configuration and >just use the pipe/queue numbers for sending traffic to it on pfctl. Whereas, to me it seems awkward that you use pfctl to attach dummynet flows to pf rules but you can't use pfctl to manage the dmmmynet configuration. I have managed to integrate ipfw/dummynet.c into pfctl and it all seems to work for me - except that flows are not persistent so that my statistics doesn't work. I am still working through to see if this is something I broke or a new "feature". I hope to forward patches once I'm happy with it. >To me something that is glued on ipfw should stay there as it will get >the best support. >Possibly splitting dummynet configuration out to dnctl might have an argum= ent. IMHO, it would be a great improvement to separate dummynet from ipfw. --=20 Peter Jeremy --C94crkcyjafcjHxo Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEARECAAYFAk5RvagACgkQ/opHv/APuIc3GwCgwDS7CRao/YXjtg9zZuYUAF6O DXgAoJzwheIJhY5g630tg1Ed1jrPiZGY =qGwM -----END PGP SIGNATURE----- --C94crkcyjafcjHxo-- From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 07:25:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25599106564A for ; Mon, 22 Aug 2011 07:25:59 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id CC3688FC0A for ; Mon, 22 Aug 2011 07:25:58 +0000 (UTC) Received: by yxn22 with SMTP id 22so2620436yxn.13 for ; Mon, 22 Aug 2011 00:25:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=gKji0LXGkKNNYy2Op12Sao3KK0kEDoxx/5z7c1aAYQI=; b=H5MFkPrnVIEemijIRiNRaalyubSHwaQeWYp9nyLf5+WUaHFhey4/0d+H79wGJkMT/H 8FAkpt6z2pvlCSyYMaelnp205E+ybslDnOYUzapDycBkkNA67qxj2bDe+2hH0HtriBfn nUhi09rVfOO6qOmKA8ZnaF89qIEuyprVX7V8k= MIME-Version: 1.0 Received: by 10.42.136.199 with SMTP id v7mr2449837ict.81.1313997958029; Mon, 22 Aug 2011 00:25:58 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.154.79 with HTTP; Mon, 22 Aug 2011 00:25:57 -0700 (PDT) In-Reply-To: <20110822022336.GL6142@pjdesk.au.alcatel-lucent.com> References: <200710171043.08126.max@love2party.net> <9a542da30710211232v4d3c930fg8ea778a12f3f16cb@mail.gmail.com> <9a542da30710280617t11e668e2o4d122998192f71c@mail.gmail.com> <20081103060321.GA45414@server.vk2pj.dyndns.org> <9a542da30811040753m1a2728bcu365c65da8fb61721@mail.gmail.com> <20110629044233.GB65891@pjdesk.au.alcatel-lucent.com> <20110713010029.GE65891@pjdesk.au.alcatel-lucent.com> <20110822022336.GL6142@pjdesk.au.alcatel-lucent.com> Date: Mon, 22 Aug 2011 09:25:57 +0200 X-Google-Sender-Auth: r1G6Lxt_ahL8prgBiV49BXjonFM Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Peter Jeremy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Luigi Rizzo , "freebsd-pf@freebsd.org" Subject: Re: [PATCH] PF+dummynet X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2011 07:25:59 -0000 On Mon, Aug 22, 2011 at 4:23 AM, Peter Jeremy wrote: > [This is fairly old but has recently bubbled to the top of my TODO list] > > On 2011-Jul-13 23:35:44 +0800, Ermal Lu=E7i wrote: >>I reverted back from having the pipes configured in pfctl because it >>will be a catching game with ipfw. >>To me it seems quite awkward that you cannot use ipfw to do all the >>configuration and >>just use the pipe/queue numbers for sending traffic to it on pfctl. > > Whereas, to me it seems awkward that you use pfctl to attach > dummynet flows to pf rules but you can't use pfctl to manage the > dmmmynet configuration. > To me this is a not really useful work. The only needed way for this is just feeling to have a solution integrated. Since 9.0 dummynet can be loaded without ipfw(4) and ipfw(8) tool can be used for it. > I have managed to integrate ipfw/dummynet.c into pfctl and it all > seems to work for me - except that flows are not persistent so that > my statistics doesn't work. =A0I am still working through to see if > this is something I broke or a new "feature". > > I hope to forward patches once I'm happy with it. > >>To me something that is glued on ipfw should stay there as it will get >>the best support. >>Possibly splitting dummynet configuration out to dnctl might have an argu= ment. > > IMHO, it would be a great improvement to separate dummynet from ipfw. > As a start it is very easy to separate dummynet functions from ipfw(8) and come up with a dnctl utility. Later on it can be improved. Just that a big warning would have to be put on ipfw(8) to let many people aware of this. This IMHO would be worth spending time on if you really want to feel dummynet as its own solution. It is not a very big job per se as well. CC'ing Luigi to see what he thinks about this. > -- > Peter Jeremy > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 11:07:07 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCEE71065688 for ; Mon, 22 Aug 2011 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BB6318FC17 for ; Mon, 22 Aug 2011 11:07:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7MB77fI097216 for ; Mon, 22 Aug 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p7MB77cM097214 for freebsd-pf@FreeBSD.org; Mon, 22 Aug 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Aug 2011 11:07:07 GMT Message-Id: <201108221107.p7MB77cM097214@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 22 13:55:05 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F46F1065670 for ; Mon, 22 Aug 2011 13:55:05 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id CF38D8FC0A for ; Mon, 22 Aug 2011 13:55:04 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p7MDt1cZ009970; Mon, 22 Aug 2011 16:55:01 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p7MDt1bT009969; Mon, 22 Aug 2011 16:55:01 +0300 (EEST) Date: Mon, 22 Aug 2011 16:55:01 +0300 From: Zeus V Panchenko To: Diego Schulz Message-ID: <20110822135501.GE22946@relay.ibs.dn.ua> Mail-Followup-To: Diego Schulz , freebsd-pf@freebsd.org References: <4DD8E815.4090209@herveybayaustralia.com.au> <20110522122229.GD36033@relay.ibs.dn.ua> <4DD9EF87.6070104@herveybayaustralia.com.au> <20110524072550.GB70509@relay.ibs.dn.ua> <4DDBAFF9.20705@herveybayaustralia.com.au> <20110525093449.GD70509@relay.ibs.dn.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U wOT+RcGxziJxEN0lIAAABrklEQVQokV2STXLbMAyFQaraE3a5dzSTfR1IF7CQrM3QuECn9z9DH0 gxzgSyFvr88PBD0uJxoR6BE+e8LtRgohE5ZB50sODP/REbfUnte/z12+llCekLUSKenFIMke6Be WinE8H0RJHSN71rUQp64gFDmtDDhRk0zam3FzpNVFprhwPGaFo6oY9wDBJQ9Qz6EuKyROJjDGa+ uza4VOTa8iHlN58Yv5BF9+4BGl0LA5pUD5xKXg4aQlVZm0co3NKxCGxQpu3aC352Gv3DZONmwQd tkrlaylV3YSew7bWtwAZF/zi9jblmprPoL7ktzeFSxmarVNmWRi+Bmxg7Y7tbGtR8XZUxLTo86G thANsssetjp3POuBvMBRlw6jRa5pKN7yVlP+F2lyiZGSMf5hnSU6eAVupmtfjRcxy0momwpxDnz 06hwnOWvBnUdR8U2/KX7cq26u1Jy5xFZMPOVONRbRUrwey8Qar6cWgf12xSymQuVX0DfYd4R8kN Hg0qCtLeaYZcj8B90M2N0cEX1P0vKSxw7NLy/3X8Qeriusu66jNA37P4Mn5QRTG2hz4d9D/6E3a EX852nwAAAABJRU5ErkJggg== Cc: freebsd-pf@freebsd.org Subject: Re: pf firewall nat and IPSec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2011 13:55:05 -0000 Diego Schulz (dschulz@gmail.com) [11.08.15 03:25] wrote: > Have you considered the possibility that Android is the culprit? > > http://code.google.com/p/android/issues/detail?id=4706 really i gave up with it ... i was trying to ipsec via 3g and was much wondering since no single packet enters ipsec box wan ... though when attempt was made via wifi the packet was appearing indeed ... so, i believe either my cell operator filtering out ipsec traffic or android ipsec is lame ... in any case cyanogenmod+openvpn is better alternative -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 05:10:49 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE2CE106566C for ; Tue, 23 Aug 2011 05:10:49 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 972E98FC16 for ; Tue, 23 Aug 2011 05:10:49 +0000 (UTC) Received: by pzk33 with SMTP id 33so18686887pzk.18 for ; Mon, 22 Aug 2011 22:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+fAag+y7BeEW6jTVde5Cl9m/RSvkGKYpRj6CR8RmSWI=; b=Lqp8ZGlVY0qC/HIGEo4AUoAYNtR1fEJ/U3kLRvIoXQQbLzJwuG2XEyzUmEj/60oGFM Rke+o3e150p3g6ib06Zat3GgSUSgEv3mydLOTwmSXGByuahwPppKcRPD/xuOlG4gOrH3 0K5T3xgey1fjYvPPuz3svowZ5JQh7RgrbGqKg= MIME-Version: 1.0 Received: by 10.142.135.21 with SMTP id i21mr757580wfd.425.1314076249015; Mon, 22 Aug 2011 22:10:49 -0700 (PDT) Received: by 10.143.26.30 with HTTP; Mon, 22 Aug 2011 22:10:48 -0700 (PDT) In-Reply-To: <4E510AF8.9090009@gmx.de> References: <4E510AF8.9090009@gmx.de> Date: Tue, 23 Aug 2011 09:40:48 +0430 Message-ID: From: Sara Khanchi To: olli hauer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 05:10:49 -0000 On Sun, Aug 21, 2011 at 6:11 PM, olli hauer wrote: > On 2011-08-21 09:48, h bagade wrote: > > Hi all, > > > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > > together with ipfw as the main firewall. According to the natting > concepts i > > faced in manuals and docs, nat concept is to map the source address to > the > > natted address when sending the packets from that source and then map the > > destination address of the related reply packets. > > > > but when I define pf nat rules with a pool of IP addresses not available > on > > the outside interface ip addresses, the outgoing traffic is natted to one > of > > the pool addresses but the response is not received via that interface so > > the pf can map the destination address to the real one. here is one of my > > configs i used during my tests: > > > > *configurations:* > > *pf.conf:* > > nat on eth1 from { 11.11.11.0/24} to any -> > > {172.16.10.1,172.16.10.2,172. > > > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > > > main system configurations: > > eth0: 11.11.11.1 > > eth1: 172.16.10.64 > > > > system A: directly connected to eth0- 11.11.11.11 > > system B: directly connected to eth1- 172.16.10.65 > > > > in this configs the dafult route of system A and system B are the middle > > systems connected ip address. > > > > as mentioned, when systemA pings systemB, the ping requests are natted to > > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > > because it doesn't know to whom it should send the replies (no answer to > > system B 's ARP requests about who has the natted IP). > > > > now my question is, isn't it the pf nat responsibilty to manage this > > condition and send the ARP replies to SystemB? > > or, are my configs wrong? > > or i misunderstood the nat concepts? > > > > any ideas or helps are really appreciated as i have to set this nat on my > > main system, asap. > > Thanks in advance. > > > Nothing magic, > > Professional Firefall products do offer mostly to create an automatic > proxy arp or do this without your notice. > > The better way is to create a route on the upstream router, this way > you get all the traffic without silly arp broadcasts. > > The following route on the peer should solve your problem > route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 > > > Defining route is not a proper way to handle this situation. I want to setup a nat router which every one works with it without need to adjust additional configurations on their system and works as the way cisco does. what should be done exactly to simulate cisco? Is there any way to proxy arp? Does ipfw support proxy arp? From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 06:37:15 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A569106566B for ; Tue, 23 Aug 2011 06:37:15 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 3F9098FC12 for ; Tue, 23 Aug 2011 06:37:14 +0000 (UTC) Received: by pzk33 with SMTP id 33so18952136pzk.18 for ; Mon, 22 Aug 2011 23:37:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=JsbZD2OKyRXiP+tqm9xOgN27XQMHmyUfEMphRq/yOJk=; b=SFpaiR14ViqKy/NWbsFGQ/UABhinYI0rcnjWWtfkBV1+Kk3wNQ/8kVHNbbJdtsYYsI n4T2HGiWgpEpsnIJQJUQO4GqFcFHOnc+PEHZbXn6RlELcIbXwsG3Ha5wL4qQYEFI67dO uRuzHx/O5Kbj2JGMxCEfKIWrnFs9+OzbG1Wcc= Received: by 10.142.13.3 with SMTP id 3mr2014322wfm.19.1314081434354; Mon, 22 Aug 2011 23:37:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.26.30 with HTTP; Mon, 22 Aug 2011 23:36:54 -0700 (PDT) In-Reply-To: <4E533FB4.5050403@gmx.de> References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> From: Sara Khanchi Date: Tue, 23 Aug 2011 11:06:54 +0430 Message-ID: To: olli hauer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 06:37:15 -0000 On Tue, Aug 23, 2011 at 10:20 AM, olli hauer wrote: > On 2011-08-23 07:10, Sara Khanchi wrote: > > On Sun, Aug 21, 2011 at 6:11 PM, olli hauer wrote: > > > >> On 2011-08-21 09:48, h bagade wrote: > >>> Hi all, > >>> > >>> I am trying to use pf nat rules with pool support on FreeBsd 8.0, > working > >>> together with ipfw as the main firewall. According to the natting > >> concepts i > >>> faced in manuals and docs, nat concept is to map the source address to > >> the > >>> natted address when sending the packets from that source and then map > the > >>> destination address of the related reply packets. > >>> > >>> but when I define pf nat rules with a pool of IP addresses not > available > >> on > >>> the outside interface ip addresses, the outgoing traffic is natted to > one > >> of > >>> the pool addresses but the response is not received via that interface > so > >>> the pf can map the destination address to the real one. here is one of > my > >>> configs i used during my tests: > >>> > >>> *configurations:* > >>> *pf.conf:* > >>> nat on eth1 from { 11.11.11.0/24} to any -> > >>> {172.16.10.1,172.16.10.2,172. > >>> > >> > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > >>> > >>> main system configurations: > >>> eth0: 11.11.11.1 > >>> eth1: 172.16.10.64 > >>> > >>> system A: directly connected to eth0- 11.11.11.11 > >>> system B: directly connected to eth1- 172.16.10.65 > >>> > >>> in this configs the dafult route of system A and system B are the > middle > >>> systems connected ip address. > >>> > >>> as mentioned, when systemA pings systemB, the ping requests are natted > to > >>> 172.16.10.1 and received at systemB but systemB doesn't send icmp > replies > >>> because it doesn't know to whom it should send the replies (no answer > to > >>> system B 's ARP requests about who has the natted IP). > >>> > >>> now my question is, isn't it the pf nat responsibilty to manage this > >>> condition and send the ARP replies to SystemB? > >>> or, are my configs wrong? > >>> or i misunderstood the nat concepts? > >>> > >>> any ideas or helps are really appreciated as i have to set this nat on > my > >>> main system, asap. > >>> Thanks in advance. > >> > >> > >> Nothing magic, > >> > >> Professional Firefall products do offer mostly to create an automatic > >> proxy arp or do this without your notice. > >> > >> The better way is to create a route on the upstream router, this way > >> you get all the traffic without silly arp broadcasts. > >> > >> The following route on the peer should solve your problem > >> route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 > >> > >> > >> > > Defining route is not a proper way to handle this situation. I want to > setup > > a nat router which every one works with it without need to adjust > additional > > configurations on their system and works as the way cisco does. > > what should be done exactly to simulate cisco? Is there any way to proxy > > arp? Does ipfw support proxy arp? > > > Hi Sara, > > ipfw even does not do proxy arp. > > If I read your top right it looks like this > > lan(11.11.11.0/24) --|switch|-- |(.??) gw (.65)| --|switch|-- > upstream(172.16.10.x/xx) > > Even with cisco as gw or router I place a static route to the upstream or > if can not control the upstream device to the switch between gw and > upstream. > I think last time I used proxy arp is now 10 years ago, reason I'm not > target for arp spoofing on this site of my equipment. > Think about the case where you route some public class C networks then arp > is really unproductive. > > -- > olli > The topology is like this: lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- upstream(172.16.10.x/16) nat pool address: 172.16.10.1-172.16.10.63 nat pool address is on the same network of upstream device. May be I don't understand you well. in your first post you've mentioned that I should define an static route on upstream device so it would send packets destined for natted address to the gw. In this post you've talked about defining static route on gw to the upstream? could you explain me more about your suggestion of using static routes instead of proxy-arp solution? however, in the above topology, there is no need to define a static route on upstream device (they are on the same network) in normal condition so it should be applicable when nat is used on gw, right? what's the solution then? From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 07:51:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F215E106564A; Tue, 23 Aug 2011 07:51:18 +0000 (UTC) (envelope-from gadidot@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 645DE8FC15; Tue, 23 Aug 2011 07:51:18 +0000 (UTC) Received: by wwi36 with SMTP id 36so5763343wwi.31 for ; Tue, 23 Aug 2011 00:51:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=W3G8JvJy9XOCmlb04eWwhWPbBan31j1+Iq+gOMHlvoU=; b=cLL+r2qhojJvBgud8i2AmiXpMEz1niqmEb0l194ecYaCMzrEdJbzh6VClx4otGqRu9 ucSE9Jnkd10lV9yR7uEFfyCcQgu3y74d00dM0s+2rZYS4QKtuLBUhYsIGIEXZ9WWs0gF jhLWdoXjM5WdAZ3GReipNPR/c3iZgn+9MCNvM= MIME-Version: 1.0 Received: by 10.216.232.158 with SMTP id n30mr2917573weq.69.1314084568933; Tue, 23 Aug 2011 00:29:28 -0700 (PDT) Received: by 10.216.61.76 with HTTP; Tue, 23 Aug 2011 00:29:28 -0700 (PDT) Date: Tue, 23 Aug 2011 15:29:28 +0800 Message-ID: From: Gi Dot To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Error - mysql_connect: Operation not permitted. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 07:51:19 -0000 Hi, I'm getting the following errors in my apache22 log: [Mon Aug 22 23:09:02 2011] [error] [client 192.168.30.10] PHP Warning: mysql_connect(): Operation not permitted in /usr/local/sites/xxx/demonlords4.lib.php on line 23, referer: http://a.b.com/main.php?location=missiondungeon&action=launchstop&perform=start&mid=358 [Mon Aug 22 23:09:03 2011] [error] [client 192.168.30.10] PHP Warning: mysql_connect(): [2002] Operation not permitted (trying to connect via tcp://10.10.10.101:3306) in /usr/local/sites/xxx/demonlords4.lib.php on line 23, referer: http://a.b.com/main.php?location=group [Mon Aug 22 23:09:03 2011] [error] [client 192.168.30.10] PHP Warning: mysql_connect(): Operation not permitted in /usr/local/sites/xxx/demonlords4.lib.php on line 23, referer: http://a.b.com/main.php?location=group . . . [Tue Aug 23 07:31:46 2011] [error] [client 192.168.30.10] PHP Warning: mysql_pconnect(): MySQL server has gone away in /usr/local/sites/xxx/test.php on line 282, referer: http://a.b.com/test.php [Tue Aug 23 07:31:50 2011] [error] [client 192.168.30.10] PHP Warning: mysql_pconnect(): MySQL server has gone away in /usr/local/sites/xxx/test.php on line 282 I just wonder if it could be caused by improper configurations in my pf.conf. I have found a couple of threads where the users managed to solve the problem by lowering the value of tcp.closed. It doesn't work for me though (I lowered the value from 90s to 15s). My apache22 run on jails and managed by haproxy. Both haproxy and apache22 reside in the same server (haproxy runs on host, apache22 run on 2 jails). Database also running on a jail but on a different host. All jails are using private IP addresses. Following is my pf.conf on web server(haproxy-1.4.15 & apache-2.2.19): http://pastebin.com/HM7jWH3X And this is my pf.conf on db server (mysql-server-5.5.14): http://pastebin.com/vFB7Jagt Both servers' uname -a: 8.2-RELEASE FreeBSD 8.2-RELEASE #7: Sun Jul 17 06:32:10 CEST 2011 root@webm01.xx.xx:/usr/obj/usr/src/sys/WEBM01 amd64 Appreciate any advice offered. Thanks. From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 08:50:40 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4D6A106564A for ; Tue, 23 Aug 2011 08:50:40 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6C1F58FC16 for ; Tue, 23 Aug 2011 08:50:40 +0000 (UTC) Received: by fxe4 with SMTP id 4so128673fxe.13 for ; Tue, 23 Aug 2011 01:50:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=eRjTbeQ2J64i6ZsHTbBsIShc4t5aDzSX6KBZLCJGKSg=; b=j8XMRy/yVeR8mgVh1hPbuWqRQvkFwcAD/6yMPpGd8TjXHCuSZTmmS8zZE9j88XdYnq Z6LTK9B8xaJ5yI4Snf3oXPi45j6lanoBR9hi7dlhmHxpMEISOEvWluJE5+4rUavl8zsW PhT/hYw2Vbf35zKjsytcA/tNs819cix4z8LCg= Received: by 10.223.7.66 with SMTP id c2mr5119231fac.0.1314089438640; Tue, 23 Aug 2011 01:50:38 -0700 (PDT) Received: from [192.168.32.109] (dynamic-78-8-54-71.ssp.dialog.net.pl [78.8.54.71]) by mx.google.com with ESMTPS id i16sm5773324faa.21.2011.08.23.01.50.35 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Aug 2011 01:50:36 -0700 (PDT) Message-ID: <4E5369DA.1030303@gmail.com> Date: Tue, 23 Aug 2011 10:50:34 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 08:50:41 -0000 W dniu 23.08.2011 08:36, Sara Khanchi pisze: > On Tue, Aug 23, 2011 at 10:20 AM, olli hauer wrote: > >> On 2011-08-23 07:10, Sara Khanchi wrote: >>> On Sun, Aug 21, 2011 at 6:11 PM, olli hauer wrote: >>> >>>> On 2011-08-21 09:48, h bagade wrote: >>>>> Hi all, >>>>> >>>>> I am trying to use pf nat rules with pool support on FreeBsd 8.0, >> working >>>>> together with ipfw as the main firewall. According to the natting >>>> concepts i >>>>> faced in manuals and docs, nat concept is to map the source address to >>>> the >>>>> natted address when sending the packets from that source and then map >> the >>>>> destination address of the related reply packets. >>>>> >>>>> but when I define pf nat rules with a pool of IP addresses not >> available >>>> on >>>>> the outside interface ip addresses, the outgoing traffic is natted to >> one >>>> of >>>>> the pool addresses but the response is not received via that interface >> so >>>>> the pf can map the destination address to the real one. here is one of >> my >>>>> configs i used during my tests: >>>>> >>>>> *configurations:* >>>>> *pf.conf:* >>>>> nat on eth1 from { 11.11.11.0/24} to any -> >>>>> {172.16.10.1,172.16.10.2,172. >>>>> >> 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} >>>>> main system configurations: >>>>> eth0: 11.11.11.1 >>>>> eth1: 172.16.10.64 >>>>> >>>>> system A: directly connected to eth0- 11.11.11.11 >>>>> system B: directly connected to eth1- 172.16.10.65 >>>>> >>>>> in this configs the dafult route of system A and system B are the >> middle >>>>> systems connected ip address. >>>>> >>>>> as mentioned, when systemA pings systemB, the ping requests are natted >> to >>>>> 172.16.10.1 and received at systemB but systemB doesn't send icmp >> replies >>>>> because it doesn't know to whom it should send the replies (no answer >> to >>>>> system B 's ARP requests about who has the natted IP). >>>>> >>>>> now my question is, isn't it the pf nat responsibilty to manage this >>>>> condition and send the ARP replies to SystemB? >>>>> or, are my configs wrong? >>>>> or i misunderstood the nat concepts? >>>>> >>>>> any ideas or helps are really appreciated as i have to set this nat on >> my >>>>> main system, asap. >>>>> Thanks in advance. >>>> >>>> Nothing magic, >>>> >>>> Professional Firefall products do offer mostly to create an automatic >>>> proxy arp or do this without your notice. >>>> >>>> The better way is to create a route on the upstream router, this way >>>> you get all the traffic without silly arp broadcasts. >>>> >>>> The following route on the peer should solve your problem >>>> route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 >>>> >>>> >>>> >>> Defining route is not a proper way to handle this situation. I want to >> setup >>> a nat router which every one works with it without need to adjust >> additional >>> configurations on their system and works as the way cisco does. >>> what should be done exactly to simulate cisco? Is there any way to proxy >>> arp? Does ipfw support proxy arp? >> >> Hi Sara, >> >> ipfw even does not do proxy arp. >> >> If I read your top right it looks like this >> >> lan(11.11.11.0/24) --|switch|-- |(.??) gw (.65)| --|switch|-- >> upstream(172.16.10.x/xx) >> >> Even with cisco as gw or router I place a static route to the upstream or >> if can not control the upstream device to the switch between gw and >> upstream. >> I think last time I used proxy arp is now 10 years ago, reason I'm not >> target for arp spoofing on this site of my equipment. >> Think about the case where you route some public class C networks then arp >> is really unproductive. >> >> -- >> olli >> > The topology is like this: > > lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- > upstream(172.16.10.x/16) > nat pool address: 172.16.10.1-172.16.10.63 > nat pool address is on the same network of upstream device. > > May be I don't understand you well. in your first post you've mentioned that > I should define an static route on upstream device so it would send packets > destined for natted address to the gw. In this post you've talked about > defining static route on gw to the upstream? could you explain me more about > your suggestion of using static routes instead of proxy-arp solution? > > however, in the above topology, there is no need to define a static route on > upstream device (they are on the same network) in normal condition so it > should be applicable when nat is used on gw, right? what's the solution > then? > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" I completely don't see the point of using arp-proxy at all. Can you enlight me ? You need to connect two networks, also is there any point of using nat also ? Instead of just to route traffic between them, unless one of them is Internet or some MAN/WAN network. As Olli mentioned, you need to add route if you don't want put nat address on the interface. I don't know any ARP proxy software for freebsd, because I've never used. So, ok, if Olli was that kind to clear things out, seems to have better experience in that matters. Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me with Cc to list" in your mail client :-) Or just send back to freebsd-pf@freebsd.org. Thanks. reebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 09:49:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 795CB1065672 for ; Tue, 23 Aug 2011 09:49:18 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2B7A08FC12 for ; Tue, 23 Aug 2011 09:49:18 +0000 (UTC) Received: by ywo32 with SMTP id 32so4625837ywo.13 for ; Tue, 23 Aug 2011 02:49:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=jxYVOlMh/5z+iRiEXlWSyVhdZBEPdPjdBEBSIZIFNIc=; b=vuWL22K7ExhRA7sSoBx4nkq2GYC0aL7h/n5Dl6+8PKILcWx05rpL/7eq+5VvJCGAGY MulutRL7CCMFhn/P8MsOEHPVqaKYMMOqwiaYtWC1DvMaTVyGTxJeYl/WIvydA03Jrm6x MeTbKS+t2Py7dBTnrscxfZpxWWTRcFJ2V5Rlo= Received: by 10.142.13.3 with SMTP id 3mr44647wfm.19.1314092956981; Tue, 23 Aug 2011 02:49:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.26.30 with HTTP; Tue, 23 Aug 2011 02:48:55 -0700 (PDT) In-Reply-To: <4E5369DA.1030303@gmail.com> References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> From: Sara Khanchi Date: Tue, 23 Aug 2011 14:18:55 +0430 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 09:49:18 -0000 Sara Khanchi On Tue, Aug 23, 2011 at 1:20 PM, Bartek W. aka Mastier wrote: > W dniu 23.08.2011 08:36, Sara Khanchi pisze: > >> On Tue, Aug 23, 2011 at 10:20 AM, olli hauer wrote: >> >> On 2011-08-23 07:10, Sara Khanchi wrote: >>> >>>> On Sun, Aug 21, 2011 at 6:11 PM, olli hauer wrote: >>>> >>>> On 2011-08-21 09:48, h bagade wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I am trying to use pf nat rules with pool support on FreeBsd 8.0, >>>>>> >>>>> working >>> >>>> together with ipfw as the main firewall. According to the natting >>>>>> >>>>> concepts i >>>>> >>>>>> faced in manuals and docs, nat concept is to map the source address to >>>>>> >>>>> the >>>>> >>>>>> natted address when sending the packets from that source and then map >>>>>> >>>>> the >>> >>>> destination address of the related reply packets. >>>>>> >>>>>> but when I define pf nat rules with a pool of IP addresses not >>>>>> >>>>> available >>> >>>> on >>>>> >>>>>> the outside interface ip addresses, the outgoing traffic is natted to >>>>>> >>>>> one >>> >>>> of >>>>> >>>>>> the pool addresses but the response is not received via that interface >>>>>> >>>>> so >>> >>>> the pf can map the destination address to the real one. here is one of >>>>>> >>>>> my >>> >>>> configs i used during my tests: >>>>>> >>>>>> *configurations:* >>>>>> *pf.conf:* >>>>>> nat on eth1 from { 11.11.11.0/24} to any -> >>>>>> {172.16.10.1,172.16.10.2,172. >>>>>> >>>>>> 16.10.3,172.16.10.4,172.16.10.**5,172.16.10.6,172.16.10.7,172.** >>> 16.10.8,172.16.10.9,172.16.10.**10} >>> >>>> main system configurations: >>>>>> eth0: 11.11.11.1 >>>>>> eth1: 172.16.10.64 >>>>>> >>>>>> system A: directly connected to eth0- 11.11.11.11 >>>>>> system B: directly connected to eth1- 172.16.10.65 >>>>>> >>>>>> in this configs the dafult route of system A and system B are the >>>>>> >>>>> middle >>> >>>> systems connected ip address. >>>>>> >>>>>> as mentioned, when systemA pings systemB, the ping requests are natted >>>>>> >>>>> to >>> >>>> 172.16.10.1 and received at systemB but systemB doesn't send icmp >>>>>> >>>>> replies >>> >>>> because it doesn't know to whom it should send the replies (no answer >>>>>> >>>>> to >>> >>>> system B 's ARP requests about who has the natted IP). >>>>>> >>>>>> now my question is, isn't it the pf nat responsibilty to manage this >>>>>> condition and send the ARP replies to SystemB? >>>>>> or, are my configs wrong? >>>>>> or i misunderstood the nat concepts? >>>>>> >>>>>> any ideas or helps are really appreciated as i have to set this nat on >>>>>> >>>>> my >>> >>>> main system, asap. >>>>>> Thanks in advance. >>>>>> >>>>> >>>>> Nothing magic, >>>>> >>>>> Professional Firefall products do offer mostly to create an automatic >>>>> proxy arp or do this without your notice. >>>>> >>>>> The better way is to create a route on the upstream router, this way >>>>> you get all the traffic without silly arp broadcasts. >>>>> >>>>> The following route on the peer should solve your problem >>>>> route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 >>>>> >>>>> >>>>> >>>>> Defining route is not a proper way to handle this situation. I want to >>>> >>> setup >>> >>>> a nat router which every one works with it without need to adjust >>>> >>> additional >>> >>>> configurations on their system and works as the way cisco does. >>>> what should be done exactly to simulate cisco? Is there any way to proxy >>>> arp? Does ipfw support proxy arp? >>>> >>> >>> Hi Sara, >>> >>> ipfw even does not do proxy arp. >>> >>> If I read your top right it looks like this >>> >>> lan(11.11.11.0/24) --|switch|-- |(.??) gw (.65)| --|switch|-- >>> upstream(172.16.10.x/xx) >>> >>> Even with cisco as gw or router I place a static route to the upstream or >>> if can not control the upstream device to the switch between gw and >>> upstream. >>> I think last time I used proxy arp is now 10 years ago, reason I'm not >>> target for arp spoofing on this site of my equipment. >>> Think about the case where you route some public class C networks then >>> arp >>> is really unproductive. >>> >>> -- >>> olli >>> >>> The topology is like this: >> >> lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- >> upstream(172.16.10.x/16) >> nat pool address: 172.16.10.1-172.16.10.63 >> nat pool address is on the same network of upstream device. >> >> May be I don't understand you well. in your first post you've mentioned >> that >> I should define an static route on upstream device so it would send >> packets >> destined for natted address to the gw. In this post you've talked about >> defining static route on gw to the upstream? could you explain me more >> about >> your suggestion of using static routes instead of proxy-arp solution? >> >> however, in the above topology, there is no need to define a static route >> on >> upstream device (they are on the same network) in normal condition so it >> should be applicable when nat is used on gw, right? what's the solution >> then? >> ______________________________**_________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> > I completely don't see the point of using arp-proxy at all. Can you enlight > me ? You need to connect two networks, also is there any point of using nat > also ? Instead of just to route traffic between them, unless one of them is > Internet or some MAN/WAN network. > > As Olli mentioned, you need to add route if you don't want put nat address > on the interface. I don't know any ARP proxy software for freebsd, because > I've never used. So, ok, if Olli was that kind to clear things out, seems to > have better experience in that matters. > > Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me > with Cc to list" in your mail client :-) Or just send back to > freebsd-pf@freebsd.org. Thanks. > > > reebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > > ______________________________**_________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org > " > I've just put an example in previous post to clarify my purpose. The gw system in the sample, is possibly a stub router connects a network to lets say, internet. What I actually want to figure out is that when I define nat on the stub router, without any need to define static routes on other systems, would it be possible to get nat works properly as what happens in cisco stub router using nat? According what is discussed here, I believe the only way is to use arp-proxy for the pool addresses. In this way, there is no difference for other systems that stub router is using nat or not? It's the duty of nat router to handle the consequences of natting (reply to responses to the natted addresses that are not available really). I think may be adding entries to arp table using arp command do the proxy-arping. As I understand and not sure my understanding is correct, Olli suggests to define static routes on upstream router to send packets destined for pool addresses to the gw. In this scenario, the nat process is not transparent any more and the upstream system should be aware of it and supports it by adding static routes which is undesirable. p.s. I've used the "reply all" button in gmail and it sets the to and cc fields itself. sorry if this bothers you. I will take care of it :) From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:23:56 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92B61106566C for ; Tue, 23 Aug 2011 10:23:56 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1995C8FC15 for ; Tue, 23 Aug 2011 10:23:55 +0000 (UTC) Received: by fxe4 with SMTP id 4so185602fxe.13 for ; Tue, 23 Aug 2011 03:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+se94RprrQsVR1CHj25A04wW1qneiZkknhvp96Si/MQ=; b=u065+hIlYrmEVmpSAfGZ1jZJCZRqBQ9qfqAUJsLCZd4CmqI0CuNhZHMxAY+UCiJLZe N4CyioHvInKelLXoTlS8L6HgMmUpvaXf0cw+9H2g84/F1uK6orLh1dm/ryCn2x6kHbqO ET805WobXozCdcHByYQKIKspD9MQRLWqf8UtU= Received: by 10.223.55.205 with SMTP id v13mr5233919fag.88.1314095034919; Tue, 23 Aug 2011 03:23:54 -0700 (PDT) Received: from [192.168.32.109] (dynamic-78-8-54-71.ssp.dialog.net.pl [78.8.54.71]) by mx.google.com with ESMTPS id c5sm19240fai.20.2011.08.23.03.23.52 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Aug 2011 03:23:53 -0700 (PDT) Message-ID: <4E537FB6.7000100@gmail.com> Date: Tue, 23 Aug 2011 12:23:50 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:23:56 -0000 W dniu 23.08.2011 11:48, Sara Khanchi pisze: >>> lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- >>> upstream(172.16.10.x/16) >>> nat pool address: 172.16.10.1-172.16.10.63 >>> nat pool address is on the same network of upstream device. >>> >>> May be I don't understand you well. in your first post you've mentioned >>> that >>> I should define an static route on upstream device so it would send >>> packets >>> destined for natted address to the gw. In this post you've talked about >>> defining static route on gw to the upstream? could you explain me more >>> about >>> your suggestion of using static routes instead of proxy-arp solution? >>> >>> however, in the above topology, there is no need to define a static route >>> on >>> upstream device (they are on the same network) in normal condition so it >>> should be applicable when nat is used on gw, right? what's the solution >>> then? >>> ______________________________**_________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >>> " >>> >> I completely don't see the point of using arp-proxy at all. Can you enlight >> me ? You need to connect two networks, also is there any point of using nat >> also ? Instead of just to route traffic between them, unless one of them is >> Internet or some MAN/WAN network. >> >> As Olli mentioned, you need to add route if you don't want put nat address >> on the interface. I don't know any ARP proxy software for freebsd, because >> I've never used. So, ok, if Olli was that kind to clear things out, seems to >> have better experience in that matters. >> >> Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me >> with Cc to list" in your mail client :-) Or just send back to >> freebsd-pf@freebsd.org. Thanks. >> >> >> reebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> >> ______________________________**_________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org >> " >> > > I've just put an example in previous post to clarify my purpose. The gw > system in the sample, is possibly a stub router connects a network to lets > say, internet. What I actually want to figure out is that when I define nat > on the stub router, without any need to define static routes on other > systems, would it be possible to get nat works properly as what happens in > cisco stub router using nat? it seems that automatically makes arp proxy. But this is.. an extra. Actually not necesarry, unless you badly want arping everyone and L2 access between networks. Cisco is sooo pro. Don't be surprised that opensource word doesn't have "out-of-the box features", which are provided by Cisco, to be "more pro". > According what is discussed here, I believe the only way is to use arp-proxy > for the pool addresses. In this way, there is no difference for other > systems that stub router is using nat or not? It's the duty of nat router to > handle the consequences of natting (reply to responses to the natted > addresses that are not available really). I think may be adding entries to > arp table using arp command do the proxy-arping. if host ask for reverse arp, like, ok I got in my arp table address xx:xx:xx:xx:xx:xx (hex symbols only ;) ). It came from different network, but, I still got because there was some arp proxy magic. If not, the packet got IP address from the right host and MAC from gateway. What a big deal ? This is how it works. For a purpose of network scanning/monitoring between two networks, of course, arp proxy would be helpful, because in other way, you cannot definitely say that host is on/off. But for that reason ICMP protocol was created to make the hosts respond on layer 3. If hosts does not respond to echo request, the nearest gateway/router can send ICMP packet back "Destination host unreachable". Depending on router firewall behaviour. For example, some "strange network operator", set static arp of router (79.110.195.x ) for unused IP, here is the example. What happens then: $ ping 79.110.199.y PING 79.110.199.y (79.110.199.y) 56(84) bytes of data. From 79.110.195.x icmp_seq=1 Time to live exceeded From 79.110.195.x icmp_seq=2 Time to live exceeded From 79.110.195.x icmp_seq=3 Time to live exceeded From 79.110.195.x icmp_seq=4 Time to live exceeded The packets are looped on router until TTL falls down to zero. > As I understand and not sure my understanding is correct, Olli suggests to > define static routes on upstream router to send packets destined for pool > addresses to the gw. In this scenario, the nat process is not transparent > any more and the upstream system should be aware of it and supports it by > adding static routes which is undesirable. I don't think so, why NAT *must* be transparent ? Look at the Internet, how do you know that some public IP address either PI or PA is gateway or the leaf on the network tree. Unless you own/manage both sides of nat you make them behave the most desired way. > > p.s. I've used the "reply all" button in gmail and it sets the to and cc > fields itself. sorry if this bothers you. I will take care of it :) In mailing list, you just use answer, because everyone will get it, because mailing list software will "spread the word" through all subscribed :-) I don't use gmail webclient on daily basis, but I assumed that clicking "Answer" to mail like mein now will add the "freebsd-pf@freebsd.org" address (only!) as a receiver straight away. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:27:38 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B8211065702 for ; Tue, 23 Aug 2011 10:27:38 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3EECC8FC12 for ; Tue, 23 Aug 2011 10:27:38 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:1828:0:3::2]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id p7NARbLF082235 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 23 Aug 2011 10:27:37 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com p7NARbLF082235 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1314095257; x=1314700057; bh=HOsC4cbixfYqisgOIhjLbGz05sBbOomKXpmTy+ep/2A=; h=Date:From:To:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=ixcJt5YgEhLaAVtIXmwTHzavnBpL2h1N5ruyFYS4yiF/Fs2lrqj+KRRH/bduCjJb5 lHhjpytyBKwc94HmBMU3LUp6MhbfUx1+2vWtS2/QnTsByAeIWxOxePVqnQkWlJ9n5a YmuY/HUfBbpSCmIb6XqxekwTqrZzSZzkmU5EgI1w= Date: Tue, 23 Aug 2011 10:27:37 +0000 (UTC) From: Janne Snabb To: freebsd-pf@freebsd.org In-Reply-To: <4E5369DA.1030303@gmail.com> Message-ID: References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (tiktik.epipe.com [IPv6:2001:1828:0:3::2]); Tue, 23 Aug 2011 10:27:37 +0000 (UTC) Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:27:38 -0000 On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote: > I completely don't see the point of using arp-proxy at all. > Can you enlight me? I do not know about the particular needs of the OP. I have not been paying attention. Sorry if I misunderstood something. But in real world: - The upstream router is often managed by the ISP and there might be no way to put a static route towards the firewall in that router. - The available external IP block may be too small to allow subnetting it to "outside of the firewall" and "inside of the firewall" networks. This is becoming more and more of an issue as the IPv4 address space has already run out but people have not migrated to IPv6. - The IP addresses might have been previously assigned without thinking that there will be a firewall in future. Then later it is decided that a firewall is needed but it is not possible to renumber the IP addresses of every host (due to lack of budget, skills, documentation, etc). All of the above are very common situations in small to medium businesses. Proxy ARP on the firewall solves all of them easily. You just turn it on and everything works. (Please do not misunderstand me: I am not saying that it is an elegant solution. However in many cases it is the only practical solution.) -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 10:42:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5528106564A for ; Tue, 23 Aug 2011 10:42:15 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]) by mx1.freebsd.org (Postfix) with ESMTP id 66F798FC0A for ; Tue, 23 Aug 2011 10:42:15 +0000 (UTC) Received: from rainbow.vl.net.ua (rainbow.vl.net.ua [IPv6:2a00:1db0:20:1::215]) (authenticated bits=0) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id p7NAg8D7009729 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK) for ; Tue, 23 Aug 2011 13:42:14 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4E538400.7050804@aws-net.org.ua> Date: Tue, 23 Aug 2011 13:42:08 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.11) Gecko/20101025 Thunderbird/3.1.5 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]); Tue, 23 Aug 2011 13:42:14 +0300 (EEST) Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 10:42:16 -0000 23.08.2011 13:27, Janne Snabb пишет: > On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote: > >> I completely don't see the point of using arp-proxy at all. >> Can you enlight me? > > I do not know about the particular needs of the OP. I have not been > paying attention. Sorry if I misunderstood something. > > But in real world: > > - The upstream router is often managed by the ISP and there might > be no way to put a static route towards the firewall in that router. In any case if you want to use some globally rotuable IPs for whatever purpose on your side, ISP already have to configure route for these IPs toward your (customer) router. Typically, this is exactly static route (which then distributed on ISP's backbone using OSPF or like). If you bild some intranet with nat on some places, there is no changes, but IP space. > - The available external IP block may be too small to allow subnetting > it to "outside of the firewall" and "inside of the firewall" networks. > This is becoming more and more of an issue as the IPv4 address space > has already run out but people have not migrated to IPv6. You can use small IP block on your internal LAN and use some of them on firewall itself not on "outside of the firewall". > - The IP addresses might have been previously assigned without thinking > that there will be a firewall in future. Then later it is decided that a > firewall is needed but it is not possible to renumber the IP addresses > of every host (due to lack of budget, skills, documentation, etc). Bridging firewall can solve this problem. > All of the above are very common situations in small to medium > businesses. Proxy ARP on the firewall solves all of them easily. > You just turn it on and everything works. If your ISP and moreover the world doesn't know how to reach ip v.x.y.z, proxy arp will not help at all. > (Please do not misunderstand me: I am not saying that it is an > elegant solution. However in many cases it is the only practical > solution.) > > -- > Janne Snabb / EPIPE Communications > snabb@epipe.com - http://epipe.com/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Aug 24 09:14:00 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5508C106564A for ; Wed, 24 Aug 2011 09:14:00 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 26F7E8FC0C for ; Wed, 24 Aug 2011 09:13:59 +0000 (UTC) Received: by pzk33 with SMTP id 33so1418559pzk.18 for ; Wed, 24 Aug 2011 02:13:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=xR0R9Ytzpw/lJvow4SHuzC1MwGMkZGOuxGlflbc0iuU=; b=buCBpdp9lNnCYMTB/JhWkLoeMP+x6/z7h3sVnhbC7gXqo3tzGi6QPki0MQ6Dypif5b c7hpoPgqDJLnjp8/VRdopNau5sq1/2Dp0ZQpDvnhUZ+8p3De9qkQi2gnQQA6uiw3tpCY fh4WMrAzsX3awyGQziPQocoZgy+pdNcLVNKeg= Received: by 10.142.131.6 with SMTP id e6mr2810299wfd.247.1314177239127; Wed, 24 Aug 2011 02:13:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.26.30 with HTTP; Wed, 24 Aug 2011 02:13:39 -0700 (PDT) In-Reply-To: <4E537FB6.7000100@gmail.com> References: <4E510AF8.9090009@gmx.de> <4E533FB4.5050403@gmx.de> <4E5369DA.1030303@gmail.com> <4E537FB6.7000100@gmail.com> From: Sara Khanchi Date: Wed, 24 Aug 2011 13:43:39 +0430 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2011 09:14:00 -0000 On Tue, Aug 23, 2011 at 2:53 PM, Bartek W. aka Mastier wrote: > W dniu 23.08.2011 11:48, Sara Khanchi pisze: > >> lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|-- >>>> upstream(172.16.10.x/16) >>>> nat pool address: 172.16.10.1-172.16.10.63 >>>> nat pool address is on the same network of upstream device. >>>> >>>> May be I don't understand you well. in your first post you've mentioned >>>> that >>>> I should define an static route on upstream device so it would send >>>> packets >>>> destined for natted address to the gw. In this post you've talked about >>>> defining static route on gw to the upstream? could you explain me more >>>> about >>>> your suggestion of using static routes instead of proxy-arp solution? >>>> >>>> however, in the above topology, there is no need to define a static >>>> route >>>> on >>>> upstream device (they are on the same network) in normal condition so it >>>> should be applicable when nat is used on gw, right? what's the solution >>>> then? >>>> ______________________________****_________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/****mailman/listinfo/freebsd-pf >>>> >>>> > >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**free** >>>> bsd.org >>>> > >>>> " >>>> >>>> I completely don't see the point of using arp-proxy at all. Can you >>> enlight >>> me ? You need to connect two networks, also is there any point of using >>> nat >>> also ? Instead of just to route traffic between them, unless one of them >>> is >>> Internet or some MAN/WAN network. >>> >>> As Olli mentioned, you need to add route if you don't want put nat >>> address >>> on the interface. I don't know any ARP proxy software for freebsd, >>> because >>> I've never used. So, ok, if Olli was that kind to clear things out, seems >>> to >>> have better experience in that matters. >>> >>> Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me >>> with Cc to list" in your mail client :-) Or just send back to >>> freebsd-pf@freebsd.org. Thanks. >>> >>> >>> reebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/****mailman/listinfo/freebsd-pf >>> >>> > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**free**bsd.org >>> >>> > >>> >>> " >>> >>> ______________________________****_________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/****mailman/listinfo/freebsd-pf >>> >>> > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**free**bsd.org >>> >>> > >>> " >>> >>> >> I've just put an example in previous post to clarify my purpose. The gw >> system in the sample, is possibly a stub router connects a network to lets >> say, internet. What I actually want to figure out is that when I define >> nat >> on the stub router, without any need to define static routes on other >> systems, would it be possible to get nat works properly as what happens in >> cisco stub router using nat? >> > > it seems that automatically makes arp proxy. But this is.. an extra. > Actually not necesarry, unless you badly want arping everyone and L2 access > between networks. Cisco is sooo pro. Don't be surprised that opensource word > doesn't have "out-of-the box features", which are provided by Cisco, to be > "more pro". > > > According what is discussed here, I believe the only way is to use >> arp-proxy >> for the pool addresses. In this way, there is no difference for other >> systems that stub router is using nat or not? It's the duty of nat router >> to >> handle the consequences of natting (reply to responses to the natted >> addresses that are not available really). I think may be adding entries to >> arp table using arp command do the proxy-arping. >> > > if host ask for reverse arp, like, ok I got in my arp table address > xx:xx:xx:xx:xx:xx (hex symbols only ;) ). It came from different network, > but, I still got because there was some arp proxy magic. If not, the packet > got IP address from the right host and MAC from gateway. What a big deal ? > This is how it works. > For a purpose of network scanning/monitoring between two networks, of > course, arp proxy would be helpful, because in other way, you cannot > definitely say that host is on/off. But for that reason ICMP protocol was > created to make the hosts respond on layer 3. If hosts does not respond to > echo request, the nearest gateway/router can send ICMP packet back > "Destination host unreachable". Depending on router firewall behaviour. > For example, some "strange network operator", set static arp of router > (79.110.195.x ) for unused IP, here is the example. What happens then: > > $ ping 79.110.199.y > PING 79.110.199.y (79.110.199.y) 56(84) bytes of data. > From 79.110.195.x icmp_seq=1 Time to live exceeded > From 79.110.195.x icmp_seq=2 Time to live exceeded > From 79.110.195.x icmp_seq=3 Time to live exceeded > From 79.110.195.x icmp_seq=4 Time to live exceeded > > The packets are looped on router until TTL falls down to zero. > > It's a good point you mentioned. Lets go ahead through a scenario:) again the previous config: lan(11.11.11.0/24) --|switch|-- |(.1) stub-router (.64)| --|switch|-- upstream(172.16.10.x/16) nat pool address: 172.16.10.1-172.16.10.63 nat pool address is on the same network of upstream device. the nat is defined on the stub-router with the arp-proxy for nat pool addresses (172.16.10.1-172.16.10.63). when the system inside (11.11.11.11) is pingging the system outside (172.16.10.65), the icmp packets are natted (172.16.10.1). In reply packets are send to (172.16.10.64) due to arp-proxy settings. My question here is that are the reply icmp packets received on stub router interface natted in reverse and receive on host (11.11.11.11)? or as you said they are responded "Destination host unreachable" by the stub router? > > As I understand and not sure my understanding is correct, Olli suggests to >> define static routes on upstream router to send packets destined for pool >> addresses to the gw. In this scenario, the nat process is not transparent >> any more and the upstream system should be aware of it and supports it by >> adding static routes which is undesirable. >> > > I don't think so, why NAT *must* be transparent ? Look at the Internet, how > do you know that some public IP address either PI or PA is gateway or the > leaf on the network tree. Unless you own/manage both sides of nat you make > them behave the most desired way. > > What I mean is that in the specific scenario discussed, it is not wise to define static route to the natted pool addresses (172.16.10.1-172.16.10.63) since they are on the same network of upstream router (172.16.10.65)! It could be done transparently so the stub router could respond as the non-available host and sends the packets to the original host after do the reverse nat. Isn't that true? In nat scenarios other than the discussed one (the nat pool address is on the same network of upstream), there should be defined static routes to reach the nat pool addresses with the gateway of stub-router. So when the packets reach the stub-router, they will be reverse natted and there is no problem. But when the nat pool address is on the same network of the upstream, the problem arises that upstream router is not sending reply packets to the stub router. In that case, packet replies never received on stub router to get natted in reverse which I think would be solved by proxy-arping. > > >> p.s. I've used the "reply all" button in gmail and it sets the to and cc >> fields itself. sorry if this bothers you. I will take care of it :) >> > In mailing list, you just use answer, because everyone will get it, because > mailing list software will "spread the word" through all subscribed :-) I > don't use gmail webclient on daily basis, but I assumed that clicking > "Answer" to mail like mein now will add the "freebsd-pf@freebsd.org" > address (only!) as a receiver straight away. >