One more thing, when I am making nat tests ipfilter rules are empty ( and ipfboot reipf is aplyed ;] )
======== Pozdrawiam Bartosz Baranowski mailto: [EMAIL PROTECTED] ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 05, 2005 3:43 PM Subject: NAT issue -- machines outside NATed network don't know where they should respond?? > Hi. I have problem with nating private network. My nating box has > two ( well three ) interfaces up: bge0, bge1002 and bge2002 > > bge0 has routable IP NATip, bge1002 - 192.168.1.1 and bge2002 - > 192.168.2.1. ( netmasks are- 255.255.255.0) > > I have been trying to set NAT between 192.x.x.x and rest of the world. I > have started with rule like this (to check if everything works ): map > bge2002 192.168.1.0/24 -> 192.168.3.0/24 ,everything worked fine. Packet > came from 192.168.1.0/24, got translated, went to machine in 192.168.2.0/24 > and got back through translation to originating IP. > > Than I have tried something like that > > map bge0 192.168.1.0/24 -> NATip/32 portmap tcp/udp auto > > or map bge0 192.168.1.0/24 -> NATip/32 portmap auto > > In this case everything worked fine too, I was able to estabilish connection > beyond unroutable IP's ( from mahcines in 192.168.1.0/24), make DNS lookups > (dns server is in 194) and so on. > > > > But with rule like this: > > map bge0 192.168.1.0/24 -> 194.29.145.252/32 portmap auto ( or > 194.29.145.254 ---> it works netween two private networks - 192...) > > packets are translated by ipnat and sent to machine I was trying to ping or > ssh, but nothing comes back. Only reaction from peer is arp lookup for > 194.29.145.252 or 254. > > > > > > here is the rest of the stuff: > grinch# uname -a > SunOS grinch 5.9 Generic_117171-15 sun4u sparc SUNW,Sun-Fire-V210 > > grinch# isainfo -vk > 64-bit sparcv9 kernel modules > > > > grinch# ifconfig -a > lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 4 > inet 127.0.0.1 netmask ff000000 > bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 > inet NATip netmask ffffff00 broadcast 194.29.145.255 > ether 0:3:ba:9f:84:71 > bge1002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 > index 6 > inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 > ether 0:3:ba:9f:84:73 > bge2002: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 > index 7 > inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255 > ether 0:3:ba:9f:84:73 > > grinch# netstat -rn > > > > Routing Table: IPv4 > Destination Gateway Flags Ref Use Interface > -------------------- -------------------- ----- ----- ------ --------- > 192.168.1.0 192.168.1.1 U 1 14 bge1002 > 192.168.2.0 192.168.2.1 U 1 6 bge2002 > 194.29.145.0 NATip U 1 713 bge0 > default 194.29.145.1 UG 1 1118 > 127.0.0.1 127.0.0.1 UH 2 2 lo0 > > > > grinch# netstat -i > Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis > Queue > lo0 8232 loopback localhost 6 0 6 0 0 0 > bge0 1500 grinch grinch 100375 0 14688 0 0 0 > bge1002 1500 grinch1002 grinch1002 7703 0 752 0 0 0 > bge2002 1500 grinch2002 grinch2002 2200 0 421 0 0 0 > > > > > > grinch# netstat -s -P ip > > > > IPv4 ipForwarding = 2 ipDefaultTTL = 255 > ipInReceives = 11870 ipInHdrErrors = 0 > ipInAddrErrors = 0 ipInCksumErrs = 0 > ipForwDatagrams = 8372 ipForwProhibits = 41 > ipInUnknownProtos = 0 ipInDiscards = 0 > ipInDelivers = 2073 ipOutRequests = 3234 > ipOutDiscards = 0 ipOutNoRoutes = 0 > ipReasmTimeout = 60 ipReasmReqds = 0 > ipReasmOKs = 0 ipReasmFails = 0 > ipReasmDuplicates = 0 ipReasmPartDups = 0 > ipFragOKs = 0 ipFragFails = 0 > ipFragCreates = 0 ipRoutingDiscards = 0 > tcpInErrs = 0 udpNoPorts = 1272 > udpInCksumErrs = 0 udpInOverflows = 0 > rawipInOverflows = 0 ipsecInSucceeded = 0 > ipsecInFailed = 0 ipInIPv6 = 0 > ipOutIPv6 = 0 ipOutSwitchIPv6 = 5 > > grinch# ipf -V > ipf: IP Filter: v4.1.3 (592) > Kernel: IP Filter: v4.1.3 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > Feature mask: 0x187 > > > > grinch# ipfstat > bad packets: in 0 out 0 > IPv6 packets: in 0 out 0 > input packets: blocked 10144 passed 11870 nomatch 4164 counted 0 > short 0 > output packets: blocked 0 passed 11608 nomatch 2513 counted 0 short > 0 > input packets logged: blocked 0 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 0 output 0 > fragment state(in): kept 0 lost 0 not fragmented 0 > fragment state(out): kept 0 lost 0 not fragmented 0 > packet state(in): kept 0 lost 0 > packet state(out): kept 1177 lost 0 > ICMP replies: 0 TCP RSTs sent: 0 > Invalid source(in): 0 > Result cache hits(in): 5158 (out): 3271 > IN Pullups succeeded: 0 failed: 0 > OUT Pullups succeeded: 52 failed: 0 > Fastroute successes: 0 failures: 0 > TCP cksum fails(in): 0 (out): 0 > IPF Ticks: 158982 > Packet log flags set: (0) > none > > // to be sure everything from me is passed out > > grinch# ipfstat -io > pass out quick on bge0 all keep state > block in on bge0 all > > > > > > grinch# ipnat -slv > mapped in 82 out 7478 > added 942 expired 0 > no memory 0 bad nat 1384 > inuse 7 > rules 3 > wilds 0 > table ffffffff7ffffbd8 list 3000250a1a8 > List of active MAP/Redirect filters: > map bge0 192.168.1.0/24 -> 194.29.145.252/32 > map bge0 192.168.2.0/24 -> 194.29.145.252/32 > map bge2002 192.168.1.0/24 -> 194.29.145.254/32 > > > > List of active sessions: > MAP 192.168.1.2 33043 <- -> 194.29.145.252 1559 [DNSServer 53] > age 159907 use 0 sumd 0x1773/0x1773 pr 17 bkt 1141/120 flags 2 > ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f > MAP 192.168.1.2 33042 <- -> 194.29.145.252 1558 [DNSServer 53] > age 159896 use 0 sumd 0x1773/0x1773 pr 17 bkt 1399/378 flags 2 > ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f > MAP 192.168.1.2 33041 <- -> 194.29.145.252 1557 [DNSServer 53] > age 159706 use 0 sumd 0x1773/0x1773 pr 17 bkt 1139/118 flags 2 > ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f > MAP 192.168.1.2 33040 <- -> 194.29.145.252 1556 [DNSServer 53] > age 159696 use 0 sumd 0x1773/0x1773 pr 17 bkt 1397/376 flags 2 > ifp bge0,bge0 bytes 0/280 pkts 0/4 ipsumd 926f > MAP 192.168.1.3 32829 <- -> 194.29.145.252 1849 [RPCServer 111] > age 159580 use 0 sumd 0x196a/0x196a pr 17 bkt 1005/487 flags 2 > ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926e > MAP 192.168.1.2 33039 <- -> 194.29.145.252 1555 [RPCServer 111] > age 159414 use 0 sumd 0x1773/0x1773 pr 17 bkt 1214/193 flags 2 > ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 926f > MAP 192.168.2.3 32819 <- -> 194.29.145.252 1839 [RPCServer 111] > age 159199 use 0 sumd 0x186a/0x186a pr 17 bkt 1251/477 flags 2 > ifp bge0,bge0 bytes 0/232 pkts 0/2 ipsumd 916e > > > > List of active host mappings: > 192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 890) > 192.168.1.2,DNSServer -> 194.29.145.252 (use = 2 hv = 894) > 192.168.1.2,RPCServer-> 194.29.145.252 (use = 1 hv = 926) > 192.168.1.3,RPCServer-> 194.29.145.252 (use = 1 hv = 928) > 192.168.2.3,RPCServer-> 194.29.145.252 (use = 1 hv = 1440) > > > > > > > > > > ======== > Pozdrawiam > Bartosz Baranowski mailto: [EMAIL PROTECTED] > > > >
