From owner-freebsd-questions@FreeBSD.ORG Mon Sep 21 15:39:59 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BC5D1065679 for ; Mon, 21 Sep 2009 15:39:59 +0000 (UTC) (envelope-from selgram@verifpoint.com) Received: from dukecmfep04.coxmail.com (dukecmfep04.coxmail.com [68.99.120.39]) by mx1.freebsd.org (Postfix) with ESMTP id 5BCB98FC2D for ; Mon, 21 Sep 2009 15:39:59 +0000 (UTC) Received: from dukecmimpo03.coxmail.com ([68.99.120.137]) by dukecmfep04.coxmail.com (InterMail vM.7.05.02.00 201-2174-114-20060621) with ESMTP id <20090921153959.KEZD21510.dukecmfep04.coxmail.com@dukecmimpo03.coxmail.com>; Mon, 21 Sep 2009 11:39:59 -0400 Received: from dukecmimpo01.coxmail.com ([172.18.18.217]) by dukecmimpo03.coxmail.com with bizsmtp id jRbT1c0014h0NJL01TfyAq; Mon, 21 Sep 2009 11:39:58 -0400 Received: from is02 ([172.18.18.217]) by dukecmimpo01.coxmail.com with bizsmtp id jTfu1c0064h0NJL01Tfy6B; Mon, 21 Sep 2009 11:39:58 -0400 From: "Scott Elgram" To: "'Steve Bertrand'" References: <3F3F36886F1E4185AB1EE019FF6DB93D@CREDENTALS> <4AB4234B.5060409@ibctech.ca> Date: Mon, 21 Sep 2009 08:39:35 -0700 Organization: VerifPoint/CreDENTALs Message-ID: <8CDA12CEBB2F4CD5BAC87320B4B62656@CREDENTALS> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 In-Reply-To: <4AB4234B.5060409@ibctech.ca> Thread-Index: Aco4vtRJdN0icEwVTpm2bxLN926EvgCETPZg Cc: freebsd-questions@freebsd.org Subject: RE: Help with NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: SElgram@VerifPoint.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2009 15:39:59 -0000 Steve, Unfortinatly the development and production servers are windows running IIS. However, I have tried the following two experiments: 1.) using IIS's logs I am able to see all hits to development and production servers. When I visit the development server through the FreeBSD NAT box I see an entry in the IIS log. However, on the production server there is no entry. 2.) Using IPFW on the NAT box I logged all traffic in and out of both interfaces. The following is what gets recorded for a successful ht to the development server: xl1 is the external interface, xl0 is the internal interface, xxx.xxx.xxx.142 is the comp I was browsing from. ------------------------------------- ipfw: 200 Divert 8668 TCP xxx.xxx.xxx.142:1345 xxx.xxx.xxx.141:6502 in via xl1 ipfw: 401 Accept TCP xxx.xxx.xxx.142:1345 192.168.0.100:80 in via xl1 ipfw: 401 Accept TCP xxx.xxx.xxx.142:1345 192.168.0.100:80 out via xl0 ipfw: 301 Accept TCP 192.168.0.100:80 xxx.xxx.xxx.142:1345 in via xl0 ipfw: 200 Divert 8668 TCP 192.168.0.100:80 xxx.xxx.xxx.142:1345 out via xl1 ipfw: 502 Accept TCP xxx.xxx.xxx.141:6502 xxx.xxx.xxx.142:1345 out via xl1 ------------------------------------- And this is what I see when I try the production server: ------------------------------------- ipfw: 200 Divert 8668 TCP xxx.xxx.xxx.142:1350 xxx.xxx.xxx.141:6503 in via xl1 ipfw: 402 Accept TCP xxx.xxx.xxx.142:1350 192.168.0.241:80 in via xl1 ipfw: 402 Accept TCP xxx.xxx.xxx.142:1350 192.168.0.241:80 out via xl0 ------------------------------------- At first I thought it might be the production server but I tried another experiment where I pointed NAT to an IP that is currently working fine through another NAT box and that didn't work either, so I'm not sure what the problem is. -Scott -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Steve Bertrand Sent: Friday, September 18, 2009 5:18 PM To: SElgram@VerifPoint.com Cc: freebsd-questions@freebsd.org Subject: Re: Help with NAT Scott Elgram wrote: > Hello, > > I am at my wits end with this one. I have set up a box to use > of firewall/nat. However, during the setup I pointed set net to do a port > redirect of port 6502 to port 80 of my development web server. Everything > worked fine so I deployed my new box onto a live IP and tested it again with > the same redirect to my dev server. Still, everything works fine so I > changed /etc/natd.conf to point to my production web server and it won't > work. I have tried everything that I can think of to narrow down this issue > but I just can't figure it out. I pointed everything back to my dev server > and it's still working. I changed the dev servers IP and changed nat to > point to the new IP and it still works. It would see that nat will work > only with my dev server and no other computer. > > > > Can anyone offer any suggestions, I'm sure I'm missing something basic. On the production server, after you've got things pointed to it: # tcpdump -n -i em0 port 80 ...where em0 is the interface. Send a request through from the outside, and verify that you can see the HTTP request come in to the production box, and go back out again. It should look like the following. Note that these are v6 addrs not v4, but the result is the same. In the first packet, 5 -> b6 is request in, and b6 -> 5 is response back. You 'should' see the same result, but with your v4 addresses instead. pearl# tcpdump -n -i em0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes 20:09:52.912361 IP6 2607:f118::5.1752 > 2607:f118::b6.80: S 3408461679:3408461679(0) win 16384 20:09:52.912425 IP6 2607:f118::b6.80 > 2607:f118::5.1752: S 1781312333:1781312333(0) ack 3408461680 win 65535 ...whether you see the packets come in or not, post back with your findings. Do you perhaps have to 'restart' natd in order to release any sort of caching? STeve