Date: Sun, 25 Feb 2001 02:29:31 -0500 (EST) From: Brent B.Powers <fbsdq@b2pi.com> To: cjclark@alum.mit.edu Cc: "Brent B.Powers" <powers@b2pi.com>, freebsd-questions@FreeBSD.ORG Subject: Re: With natd server, can't hit my own static IP's Message-ID: <15000.46171.122193.363607@Sophie.B2Pi.com> In-Reply-To: <20010221004746.Y62368@rfx-216-196-73-168.users.reflex> References: <bulk.28868.20010220215952@hub.freebsd.org> <20010221004746.Y62368@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
Warning: Long unwrapped lines follow below.....
>>>>> "Crist" == Crist J Clark <cjclark@reflexnet.net> writes:
Crist> On Tue, Feb 20, 2001 at 09:59:52PM -0800, Brent B.Powers wrote:
[snip]
> | | |-- 192.168.1.0
> | | |
> | alias xxx.xxx.xxx.0 | |-- 192.168.1.1
> | alias xxx.xxx.xxx.1 | |
> | alias xxx.xxx.xxx.2 | |-- 192.168.1.2
> | alias xxx.xxx.xxx.3 | |
> | alias xxx.xxx.xxx.4 | |-- 192.168.1.3
> | alias xxx.xxx.xxx.5 | |
> | alias xxx.xxx.xxx.6 | |-- 192.168.1.4
> [INET] --- | DE0 xxx.xxx.xxx.7 RL0 |----[]-|
> | | |-- 192.168.1.5
> | | |
> | | |-- 192.168.1.6
> | | |
> | | |-- 192.168.1.7
>
> Unfortunately, I've just noticed that I can't get to my own servers,
> i.e. If I'm sitting at the console of, say, 192.168.1.4, and the whole
> world knows that my webserver is at xxx.xxx.xxx.6. However, I can't
> get there. If I try to touch anything other than .7, I get .7 (so my
> webserver isn't found, for instance).
Crist> *groan* Another natd(8) one I should write up for the
Crist> FAQ... Too late to do it tonight. I am pretty sure this one
Crist> is at one of the independent websites, graveconcern,
Crist> bsddiary?
I've actually searched at bsddiary, but didn't find anything that
seems to apply, and although I'd not heard of mostgraveconcern, I also
didn't find anything relevant there, or within defcon1. I know when I
was last on this list, there was talk of setting up a basic networking
and NAT faq, but I saw no reference to it at freebsd.org, nor does the
main freebsd FAQ contain anything pertaining to this problem
<snip>
Crist> There are two main approaches, split-DNS or running another
Crist> natd(8) (or similar program) on the internal
Crist> interface. Split-DNS means your internal machines will see
Crist> hostnames already mapped to the internal IPs. To run another
Crist> natd(8), run another instance of natd on the internal interface
Crist> diverting to a different port. e.g.,
<snip>
SplitDNS seems like a maintenance nightmare.
I had tried, btw, setting up an internal only natd before, but
changing the port has been a head-slapping, 'doh' experience
...So:
It turns out the redirect commands are the same for either side of the
natd, so, with the exception of the interface and port (which were on
the command line anyway, the natd config files are the same.
Thus the commands (on the gateway box, with a debug firewall)
(TBird)/etc[16]#/bin/sh /etc/rc.firewall
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00340 divert 8668 ip from any to any via de0
00350 divert 8669 ip from 192.168.1.0/24 to 216.254.64.0/24 via rl0
65000 allow ip from any to any
(TBird)/etc[17]#/sbin/natd -config /etc/natd.conf -port 8669 -n rl0 -v
natd[26563]: Aliasing to 192.168.1.1, mtu 1500 bytes
In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to
[ICMP] 192.168.1.188 -> 192.168.1.186 8(0)
In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to
[ICMP] 192.168.1.188 -> 192.168.1.186 8(0)
In [ICMP] [ICMP] 192.168.1.188 -> 216.254.64.186 8(0) aliased to
[ICMP] 192.168.1.188 -> 192.168.1.186 8(0)
In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to
[TCP] 192.168.1.188:1049 -> 192.168.1.186:21
In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to
[TCP] 192.168.1.188:1049 -> 192.168.1.186:21
In [TCP] [TCP] 192.168.1.188:1049 -> 216.254.64.186:21 aliased to
[TCP] 192.168.1.188:1049 -> 192.168.1.186:21
At the same time, as you can see, from a second machine (lists, 188), I
pinged a third (sophie, 186). When that worked, I tried an ftp over to
sophie, and got back nothing....
[root@lists /root]# ping -c 3 -n 216.254.64.186
PING 216.254.64.186 (216.254.64.186) from 192.168.1.188 : 56(84) bytes of data.
From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186)
64 bytes from 192.168.1.186: icmp_seq=0 ttl=255 time=2.0 ms
From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186)
64 bytes from 192.168.1.186: icmp_seq=1 ttl=255 time=1.2 ms
From 192.168.1.1: Redirect Host(New nexthop: 192.168.1.186)
64 bytes from 192.168.1.186: icmp_seq=2 ttl=255 time=1.1 ms
--- 216.254.64.186 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.1/1.4/2.0 ms
[root@lists /root]# ftp 216.254.64.186
^C
http access gave me the same results. I tried, then to see what sophie
(186) was getting via tcpdump:
(Sophie)/var/log[34]#tcpdump -n '(src host 192.168.1.188 or src host 192.168.1.186 or src host 192.168.1.1) and (dst host 192.168.1.188 or dst host 192.168.1.186 or dst host 192.168.1.1) and not port ssh'
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on all devices
02:27:36.771503 eth0 B arp who-has 192.168.1.186 tell 192.168.1.1
02:27:36.771736 eth0 > arp reply 192.168.1.186 (8:0:20:1d:f2:2b) is-at 8:0:20:1d:f2:2b (0:50:bf:1c:46:b0)
02:27:36.772060 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request
02:27:36.772253 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply
02:27:37.761512 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request
02:27:37.761746 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply
02:27:38.761383 eth0 < 192.168.1.188 > 192.168.1.186: icmp: echo request
02:27:38.761609 eth0 > 192.168.1.186 > 192.168.1.188: icmp: echo reply
02:27:41.810081 eth0 > arp who-has 192.168.1.1 tell 192.168.1.186 (8:0:20:1d:f2:2b)
02:27:41.810376 eth0 < arp reply 192.168.1.1 is-at 0:50:bf:1c:46:b0 (8:0:20:1d:f2:2b)
02:27:52.057370 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 <mss 1460,sackOK,timestamp 16758446 0,nop,wscale 0> (DF)
02:27:52.059220 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 696098068:696098068(0) ack 743268913 win 32120 <mss 1460,sackOK,timestamp 338240006 16758446,nop,wscale 0> (DF)
02:27:52.059482 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0
02:27:55.049682 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 <mss 1460,sackOK,timestamp 16758746 0,nop,wscale 0> (DF)
02:27:55.040021 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 699090422:699090422(0) ack 743268913 win 32120 <mss 1460,sackOK,timestamp 338240305 16758746,nop,wscale 0> (DF)
02:27:55.050276 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0
02:28:01.049229 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: S 743268912:743268912(0) win 32120 <mss 1460,sackOK,timestamp 16759346 0,nop,wscale 0> (DF)
02:28:01.049533 eth0 > 192.168.1.186.ftp > 192.168.1.188.1050: S 705089966:705089966(0) ack 743268913 win 32120 <mss 1460,sackOK,timestamp 338240905 16759346,nop,wscale 0> (DF)
02:28:01.049800 eth0 < 192.168.1.188.1050 > 192.168.1.186.ftp: R 743268913:743268913(0) win 0
19 packets received by filter
(Sophie)/var/log[35]#
So, What does this come down to.... My current theories have something
to do with climbing a taller tree to get to the moon, but, why is the
target machine showing packets as coming from lists, when they've been
translated, and should be coming thorugh as though they were coming
via the nat machine (.1)...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15000.46171.122193.363607>