Re: please help with NATing my jails

Tue, 20 Jul 2010 09:08:54 -0700 

On 12/07/2010 13:47, Steve Bertrand wrote:


...do you need a second nat rule for the inbound traffic, or does nat
handle that by itself? If you run tcpdump on the wlan interface, do you
see the inbound traffic that relates to your request?



I don't know if I need that second rule but after adding rule
00035 nat 100 ip from not me to 127.127.127.1 via wlan0 keep-state
nothing changes, still the same problem.

While I'm trying to get "host freebsd.org" from the jailed system, 
tcpdump on wlan0 says:

ARP, Request who-has 192.168.1.254 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.111 tell 192.168.1.254, length 28
ARP, Reply 192.168.1.111 is-at 00:26:5e:e7:e8:78, length 28
ARP, Request who-has 192.168.1.94 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.95 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.96 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.82 tell 192.168.1.254, length 28
IP 192.168.1.111.37766 > 208.67.222.222.53: 55415+ A? freebsd.org. (29)
IP 208.67.222.222.53 > 192.168.1.111.37766: 55415 1/0/0 A 69.147.83.40 (45)

IP 192.168.1.111 > 208.67.222.222: ICMP 192.168.1.111 udp port 37766 
unreachable, length 36

IP 192.168.1.111.45007 > 208.67.220.220.53: 55415+ A? freebsd.org. (29)
IP 208.67.220.220.53 > 192.168.1.111.45007: 55415 1/0/0 A 69.147.83.40 (45)

IP 192.168.1.111 > 208.67.220.220: ICMP 192.168.1.111 udp port 45007 
unreachable, length 36

IP 192.168.1.111.37766 > 208.67.222.222.53: 55415+ A? freebsd.org. (29)
IP 208.67.222.222.53 > 192.168.1.111.37766: 55415 1/0/0 A 69.147.83.40 (45)

IP 192.168.1.111 > 208.67.222.222: ICMP 192.168.1.111 udp port 37766 
unreachable, length 36

IP 192.168.1.111.45007 > 208.67.220.220.53: 55415+ A? freebsd.org. (29)
IP 208.67.220.220.53 > 192.168.1.111.45007: 55415 1/0/0 A 69.147.83.40 (45)

IP 192.168.1.111 > 208.67.220.220: ICMP 192.168.1.111 udp port 45007 
unreachable, length 36



So once again my rules are:
ipfw -q -f flush
ipfw add 00010 allow all from 127.0.0.1 to 127.0.0.1 via lo0
ipfw add 00020 check-state
ipfw add 00030 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
ipfw nat 100 config ip 192.168.1.111 log
ipfw add 00040 allow all from any to any

Any ideas please?

Michael
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"






















					Reply via email to