Date: Thu, 25 Mar 1999 16:11:43 -0800 From: tront@cs.sfu.ca To: ari <ari@suutari.iki.fi> Cc: jonc@pinnacle.co.nz, freebsd-questions@FreeBSD.ORG Subject: Re: natd Message-ID: <3.0.3.32.19990325161143.00a12ea0@cs.sfu.ca> In-Reply-To: <36F9E951.E14254A3@suutari.iki.fi> References: <3.0.3.32.19990324124823.00a9b340@cs.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:44 AM 3/25/99 +0200, ari wrote:
>tront@cs.sfu.ca wrote:
>>
>> Hi Ari, I am a university instructor of a network admin course that has
>> been using freebsd unix for 2 years. We are trying natd for the first time
>> on freebsd 2.2.7. And after checking all available documentation we are
>> stumped as to why we can't even ping from the gateway to a public network
>> machine while natd is running.
>> We have followed the instructions on the man page exactly!
>> We can ping from the internal machine to the gateway and visa versa. But
>> not through the gateway to the public network. And more interestingly, not
>> even from the gateway machine to the public network (one hop!). When we
>> kill natd and remove the divert firewall rule, ping is successful in all
>> ways, including relay through the gateway, so the connectivity and routing
>> is good.
>>
>> The divert rule firewall timestamp is showing that it is being used at the
>> time we attempt to pings, so the firewall is running. And the firewall
>> only has the specified 2 rules plus the final 65535 deny rule. Also, we
>> found that running natd in verbose mode generated no error messages. And
>> running in log mode didn't seem to generate any log in alias.log.
>>
>> We have spent hours on this, and are beginning to disagree with the man
>> page that states "Running natd is fairly straight forward". Can you give
>> us another pointer or two on where to look for some error in our setup.
> One common mistake is to run natd on wrong interface. You are supposed
> to run it on the interface that is connected to public network.
No, that isn't the problem.
> If you can send a little bit more details about your setup
> (interface names, addresses etc.) I can try to help you out.
I have attached a dump of all kinds of useful information verifying my set
up according to the 'running natd' part of the man page. I hope this helps.
I have some things you might want to worry about:
1) in our lab, the outside public network has one of the 'test' network
addresses 172.16/16. It there a chance that natd will refuse to forward to
such a public network?
2) the address we are pinging is on the same network as the gateway's
public address (i.e. direction connection one hop).
3) because of 2) above, we do not have a specific or default route for the
ping's destination. A route is in the routing table for that network by
virtue of the interface being brought up.
4) we are not putting any natd commands in a file, assumably everything
that is needed can be typed into the command line.
Here is the results of what my student dumped. 172.16/16 is the public
network. 172.17/16 is the inside network. 172.16.1.6 is ed0, the public
interface of the gateway. Any help would be appreciated.
Russ Tront, Instructor, School of Computing Science, SFU.
----------------------------------------------------------------------------
----------------------------------
Script started on Wed Mar 24 22:44:56 1999
You have mail.
fall.net1.cs{root}:cd /usr/src/sys/i386/conf
fall.net1.cs{root}:ls
FALL LINT PCCARD files.i386 options.i386
GENERIC Makefile.i386 devices.i386 majors.i386
fall.net1.cs{root}:fgrep IPFIRTEWALL FALL
options IPFIREWALL
options IPFIREWALL_VERBOSE
fall.net1.cs{root}:fgrep IPDIVERT FALL
options IPDIVERT $ Divert sockets
fall.net1.cs{root}:cd /etc
fall.net1.cs{root}:fgrep gateway rc.conf
defaultrouter="NO" # Set to default gateway (or NO).
gateway_enable="YES" # Set to YES if this host will be a gateway.
ipxgateway_enable="NO" # Set to YES to enable IPX routing.
forward_sourceroute="NO" # do source routing (only if gateway_enable
is set to "YES")
fall.net1.cs{root}:fgrep firewall rc.conf
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_type="open" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
natd_enable="NO" # Enable natd if firewall_enable.
fall.net1.cs{root}:fgrep natd rc.conf
natd_enable="NO" # Enable natd if firewall_enable.
natd_interface="fxp0" # Public interface to use with natd if
natd_enable.
natd_flags="" # Additional flags for natd.
fall.net1.cs{root}:fgrep natd services
natd 8668/divert #Network Address Translation
fall.net1.cs{root}:ipfw -t list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 Wed Mar 24 22:46:05 1999 allow ip from any to any
65535 deny ip from any to any
fall.net1.cs{root}:ipfw -f flush
Flushed all rules.
fall.net1.cs{root}:ipfw add divert natd all from any to any via ed0
00000 divert 8668 ip from any to any via ed0
fall.net1.cs{root}:ipfw add pass all from any to any
00000 allow ip from any to any
fall.net1.cs{root}:netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.16 link#1 UC 0 0
172.18 link#2 UC 0 0
fall.net1.cs{root}:netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ed0 1500 <Link> 00.40.95.76.90.4b 5 0 1 0 0
ed0 1500 172.16 fall 5 0 1 0 0
ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0 0
ed1 1500 172.18 fall.net3.cs 0 0 1 0 0
lp0* 1500 <Link> 0 0 0 0 0
tun0* 1500 <Link> 0 0 0 0 0
tun1* 1500 <Link> 0 0 0 0 0
sl0* 552 <Link> 0 0 0 0 0
sl1* 552 <Link> 0 0 0 0 0
ppp0* 1500 <Link> 0 0 0 0 0
ppp1* 1500 <Link> 0 0 0 0 0
lo0 16384 <Link> 48 0 48 0 0
lo0 16384 your-net localhost 48 0 48 0 0
fall.net1.cs{root}:netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 72 lo0
172.16 link#1 UC 0 0
172.18 link#2 UC 0 0
fall.net1.cs{root}:ipfw -t list
00100 Wed Mar 24 22:50:22 1999 divert 8668 ip from any to any via ed0
00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
fall.net1.cs{root}:ping 172.16.1.7
PING 172.16.1.7 (172.16.1.7): 56 data bytes
^C
--- 172.16.1.7 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
(((NOTE: this ping would have worked if not for the presence of the divert
firewall rule and no natd running yet))))
fall.net1.cs{root}:natd -interface ed0
fall.net1.cs{root}:ping 172.16.1.7
PING 172.16.1.7 (172.16.1.7): 56 data bytes
^C
--- 172.16.1.7 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
fall.net1.cs{root}:ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 232 0.0 0.9 384 272 p0 R+ 10:52PM 0:00.00 ps -aux
root 1 0.0 0.8 484 236 ?? Is 10:44PM 0:00.03 /sbin/init --
root 2 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00 (pagedaemon)
root 3 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00 (vmdaemon)
root 4 0.0 0.1 0 12 ?? DL 10:44PM 0:00.07 (update)
root 99 0.0 1.8 204 540 ?? Ss 10:44PM 0:00.16 syslogd
daemon 109 0.0 1.9 176 564 ?? Is 10:44PM 0:00.01 portmap
root 131 0.0 2.0 208 608 ?? Is 10:44PM 0:00.07 inetd
root 134 0.0 1.7 332 512 ?? Ss 10:44PM 0:00.04 cron
root 137 0.0 1.8 208 540 ?? Is 10:44PM 0:00.01 lpd
root 164 0.0 1.4 168 420 ?? Is 10:44PM 0:00.00 moused -p
/dev
root 173 0.0 2.4 372 720 ?? Is 10:44PM 0:02.23
/usr/local/sbi
root 196 0.0 1.1 460 328 v0 Is 10:44PM 0:00.19 -csh (csh)
root 197 0.0 1.8 180 544 v1 Is+ 10:44PM 0:00.03
/usr/libexec/g
root 198 0.0 1.8 180 544 v2 Is+ 10:44PM 0:00.03
/usr/libexec/g
root 204 0.0 1.5 216 460 v0 S+ 10:44PM 0:00.22 script huang
root 205 0.0 1.1 456 336 p0 Ss 10:44PM 0:00.13 -h -i (csh)
root 230 0.0 1.7 228 492 ?? Is 10:51PM 0:00.00 natd
-interfac
root 0 0.0 0.0 0 0 ?? DLs 10:44PM 0:00.01 (swapper)
fall.net1.cs{root}:ipfw -t list
00100 Wed Mar 24 22:51:37 1999 divert 8668 ip from any to any via ed0
00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
fall.net1.cs{root}:ping 172.16.1.7
PING 172.16.1.7 (172.16.1.7): 56 data bytes
^C
--- 172.16.1.7 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
fall.net1.cs{root}:ipfw -t list
00100 Wed Mar 24 22:52:36 1999 divert 8668 ip from any to any via ed0
00200 Wed Mar 24 22:50:09 1999 allow ip from any to any
65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
fall.net1.cs{root}:netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
127.0.0.1 127.0.0.1 UH 0 120 lo0
172.16 link#1 UC 0 0
172.16.1.7 link#1 UHLW 0 8
172.18 link#2 UC 0 0
fall.net1.cs{root}:netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 120 lo0
172.16 link#1 UC 0 0
september link#1 UHLW 0 8
172.18 link#2 UC 0 0
fall.net1.cs{root}:netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ed0 1500 <Link> 00.40.95.76.90.4b 8 0 1 0 0
ed0 1500 172.16 fall 8 0 1 0 0
ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0 0
ed1 1500 172.18 fall.net3.cs 0 0 1 0 0
lp0* 1500 <Link> 0 0 0 0 0
tun0* 1500 <Link> 0 0 0 0 0
tun1* 1500 <Link> 0 0 0 0 0
sl0* 552 <Link> 0 0 0 0 0
sl1* 552 <Link> 0 0 0 0 0
ppp0* 1500 <Link> 0 0 0 0 0
ppp1* 1500 <Link> 0 0 0 0 0
lo0 16384 <Link> 224 0 224 0 0
lo0 16384 your-net localhost 224 0 224 0 0
fall.net1.cs{root}:ifconfig -a
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.1.6 netmask 0xffff0000 broadcast 172.16.255.255
ether 00:40:95:76:90:4b
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.18.1.1 netmask 0xffff0000 broadcast 172.18.255.255
ether 00:40:95:76:e4:d1
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
fall.net1.cs{root}:ping 172.16.1.5
PING 172.16.1.5 (172.16.1.5): 56 data bytes
^C
--- 172.16.1.5 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
fall.net1.cs{root}:ipfw -t list
00100 Wed Mar 24 22:55:51 1999 divert 8668 ip from any to any via ed0
00200 Wed Mar 24 22:55:27 1999 allow ip from any to any
65535 Wed Mar 24 22:47:35 1999 deny ip from any to any
fall.net1.cs{root}:netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ed0 1500 <Link> 00.40.95.76.90.4b 12 0 1 0 0
ed0 1500 172.16 fall 12 0 1 0 0
ed1 1500 <Link> 00.40.95.76.e4.d1 0 0 1 0 0
ed1 1500 172.18 fall.net3.cs 0 0 1 0 0
lp0* 1500 <Link> 0 0 0 0 0
tun0* 1500 <Link> 0 0 0 0 0
tun1* 1500 <Link> 0 0 0 0 0
sl0* 552 <Link> 0 0 0 0 0
sl1* 552 <Link> 0 0 0 0 0
ppp0* 1500 <Link> 0 0 0 0 0
ppp1* 1500 <Link> 0 0 0 0 0
lo0 16384 <Link> 416 0 416 0 0
lo0 16384 your-net localhost 416 0 416 0 0
fall.net1.cs{root}:netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 440 lo0
172.16 link#1 UC 0 0
june link#1 UHLW 0 3
172.18 link#2 UC 0 0
fall.net1.cs{root}:netstat -nr
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
127.0.0.1 127.0.0.1 UH 0 496 lo0
172.16 link#1 UC 0 0
172.16.1.5 link#1 UHLW 0 3
172.18 link#2 UC 0 0
fall.net1.cs{root}:exit
Script done on Wed Mar 24 22:57:10 1999
*september's address 172.16.1.7
*june's address 172.16.1.5
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19990325161143.00a12ea0>