From owner-freebsd-net@FreeBSD.ORG Wed Jan 9 23:30:34 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7ED4A16A418 for ; Wed, 9 Jan 2008 23:30:34 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 5EDD513C447 for ; Wed, 9 Jan 2008 23:30:34 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JCjNd-0000dH-EW for freebsd-net@freebsd.org; Wed, 09 Jan 2008 22:26:37 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JCjNd-0001wm-Ao for freebsd-net@freebsd.org; Wed, 09 Jan 2008 22:26:37 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id C945D8E296; Wed, 9 Jan 2008 16:26:34 -0600 (CST) Date: Wed, 9 Jan 2008 16:26:34 -0600 From: David DeSimone To: freebsd-net@freebsd.org Message-ID: <20080109222634.GH17784@verio.net> Mail-Followup-To: freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: NATD problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2008 23:30:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Oonk wrote: > > host A > -redirect_address 192.168.0.2 128.1.1.2 > > Host B > -redirect_address 192.168.0.3 128.1.1.3 > > I have a webserver running on host A. > When I try to reach either host A the 'outside', that works fine. > > When I try to reach host A from host B on it's external address, > i.e. when I try to reach port 80 on 128.1.1.2 with source address > 192.168.0.3, I get 'connection refused'. > > Do I have to do anything special to make this possible? This is a classic NAT problem. Picture what happens each step of the way: Packet (src = 192.168.0.3, dst = 128.1.1.2) goes to the firewall, because routing for 128.1.1.2 follows default route to firewall. Firewall applies NAT, so packet is now (src = 192.168.0.3, dst = 192.168.0.2). Firewall routes the packet back to the internal network that it came from. Host A receives packet (src = 192.168.0.3, dst = 192.168.0.2). Host A sends back a reply packet (src = 192.168.0.2, dst = 192.168.0.3). Routing table finds a connected route, so reply goes DIRECTLY to host B over internal network. Firewall does not see reply, so there is no chance to apply reverse NAT. Host B receives packet (src = 192.168.0.2, dst = 192.168.0.3). The packet is unrecognized, however, because the packet that host B originally sent was for (src = 192.168.0.3, dst = 128.1.1.2). Host B sends a RST. Connection fails. The way I have solved this problem in other environments is with "double NAT" where the firewall translates both the Source and Destination IP for internally-receive traffic. The firewall applies the correct destination NAT, but also applies NAT to the source IP, giving its own IP. This causes the web server to reply back to the firewall so that the traffic can be de-NAT'd correctly. However, I am unaware of the ability to perform Double NAT using FreeBSD tools. There is no reason the kernel could not do it; it is just a missing feature in the toolset. Many people argue that Host B should "know" that it should not contact Host A using the external IP. Either a host file, or special internal DNS server, or some other such mechanism should help internal hosts to know how best to contact other internal hosts. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHhUoaFSrKRjX5eCoRAnoUAJ9jv4zBy6MeYXJZQryTi2jIM0yfsACbBs3x EOIg9lwBVJd9EaMCJ/oxFCw= =Y28j -----END PGP SIGNATURE-----