* j knight ([EMAIL PROTECTED]) [030605 13:13]: > This is essentially the "redirection and reflection" > (http://www.openbsd.org/faq/pf/rdr.html#reflect) problem that people run > into. The cleanest solution is to have the internal machines use only > their internal addresses to communicate, however, if you can stand > traffic between internal machines looping through the firewall, there is > some trickery you can do with redirection and nat to do what you want > (http://www.openbsd.org/faq/pf/rdr.html#rdrnat).
Yeah this is similar, but different. Yes it's the same in that I am trying to loop packets back out and than back in. This is why I did the whole proxy arp, along with not binding any of the IP's to the local interface deal in the first place. What I see in tcpdump is I actually see the packet reach the fxp0 (external interface), and it's correct. It's just that the kernel than doesn't pick the packet back up and process it. So what I end up with in the case of an ICMP ping is the following. 11:34:59.916590 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request 11:35:00.918238 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request 11:35:01.920037 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request 11:35:02.921926 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request 11:35:03.923753 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request 11:35:04.925465 0:50:8:0:56:4e 0:50:8:0:56:4e 0800 98: 1.2.3.232 > 1.2.3.231: icmp: echo request This is for a ping from the box at 10.10.2.232 attempting to ping 1.2.3.231. Note the source address has been correctly translated, and that the destination mac address is even correct, it just doesn't send it back through. This is the exact same as FreeBSD but something causes FreeBSD to pick the packet back up and send it back down the chain. That's what I'm looking for, as the design of this whole "looped" network architecture is set in stone (the current box is a Cisco PIX and we were attempting to replace it with a FreeBSD box, but ran into a larger issue than this (we solved this)). Thanks, Greg -- Greg Rumple [EMAIL PROTECTED]
