It's just getting weirder. First of all I tried what you suggested
and no luck. I have tcp dumps from ethereal. You asked to see them.
One is about 1mb. Do you want me to post them to the list or send it
to you directly?
Then I tried something else. A router with a DMZ function.
I thought to set a sunray network, a pc network and a 255.255.255.252
network to talk with the router.
bge2 is the small subnet that passed data to the router.
So the idea is to kuup NAT on the Sun with ipfilter and use the
router bypassing the pppoe which I believe to be the source of the
trouble.
So we want to translate anything from 10.0.2.0/24 to 192.168.1.2/30
which will go the the router at 192.168.1.1 to which I have the
following.
map bge2 10.0.2.0/24 -> 192.168.1.2/32 proxy port 21 ftp/tcp
map bge2 10.0.2.0/24 -> 192.168.1.2/32 portmap tcp/udp 10000:40000
map bge2 10.0.2.0/24 -> 192.168.1.2/32
[EMAIL PROTECTED] # ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 2
inet 10.0.2.1 netmask ffffff00 broadcast 10.0.2.255
ether 0:3:ba:c2:4:69
bge2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 3
inet 192.168.1.2 netmask fffffffc broadcast 192.168.1.3
ether 0:3:ba:c2:4:6b
bge3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 4
inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255
ether 0:3:ba:c2:4:6c
sppp0: flags=10008d0<POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu
65529 index 5
inet 0.0.0.0 --> 0.0.0.0 netmask 0
ether 0:0:0:0:0:0
[EMAIL PROTECTED] # cat ipnat.conf
# minimal ipnat rule for allowing active ftp client
#
#map bge2 0/0 -> 192.168.1.2/24 proxy port 21 ftp/tcp
map bge2 10.0.2.0/24 -> 192.168.1.2/32 proxy port 21 ftp/tcp
map bge2 10.0.2.0/24 -> 192.168.1.2/32 portmap tcp/udp 10000:40000
map bge2 10.0.2.0/24 -> 192.168.1.2/32
[EMAIL PROTECTED] # cat ipf.conf
pass in all
pass out all
[EMAIL PROTECTED] #
Here is where it gets weird. it translates alright. But it traslates
to 192.168.1.1 instead of 192.168.1.2.
Could it be hardware relatesd. I had to have sun come in and replace
a motherboard. Also is there a file where the state information is
stored. I am curious to see if it is populating.
On 29-Oct-05, at 12:51 AM, Phil Dibowitz wrote:
Murray Thomson wrote:
I removed it from the one when I pulled the ipfilter 4.1.9. Still
only
returning some sights. I looked at it in ethereal over the ppp
interface and saw that the router is returning an icmp message that
says port unavailable.
Sequence is this. PC operator asks for web page.
PC make DNS lookup request.
Packet goes to server and gets translated.
DNS responds
Sun server receives packet and responds to DNS that port is not
available.
I still have to go back and test this but I believe that if the
sun got
to the web page before then it will nat OK.
Hmmm. So let me get this straight:
PC-------Sun------Internet
^ ^
ethernet sppp
1. PC -> Sun : DNS request
2. Sun -> DNS server : NAT'd DNS request (NAT works here?)
3. DNS Server -> Sun : DNS Response
4. Sun -> DNS Server: ICMP Port unreachable
??
I'd really like to see a packet dump of that. Also, I'm curious what
happens if the DNS server is inside the network, or if you browse
by IP
and don't require DNS.
When I was using 4.1.9 I didn't have teh icmp errors but the
thing just
wouldn't translate.
But it translates in 3, rigt? It just gets the ICMP Port Unreachables?
Hmmm - wait, you're ruleset... try just this:
pass in quick on bge0 from any to any flags S keep state keep frags
block in quick on sppp0 from any to any
And let me know how that goes.
--
Phil Dibowitz [EMAIL PROTECTED]
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Suess
