Hi,
Here is simple explanation :
This is my pf.conf
extif="{ ed0 }"
extip="{ (ed0) }"
table <lan> { 192.168.1.0/24 }
nat on $extif from <lan> to any -> $extip
pass all
I want to ping from my lan stations ( 192.168.1.18 and 192.168.1.19 ) to a
public dns server (like
192.9.9.3)
look at my state table:
# pfctl -ss
self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0
take a look at icmp traffic:
internal interface :
# tcpdump -c 10 -i dc0 -nq icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes
10:00:51.538006 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37394
10:00:51.671439 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43538
10:00:52.199114 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37650
10:00:52.538007 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37650
10:00:52.672876 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43794
10:00:53.210683 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37906
10:00:53.554918 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37906
10:00:53.674441 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 44050
10:00:54.212218 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 38162
10:00:54.551131 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 38162
10 packets captured
26 packets received by filter
0 packets dropped by kernel
external interface:
# tcpdump -c 10 -i ed0 -nq icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ed0, link-type EN10MB (Ethernet), capture size 96 bytes
10:02:42.839665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6419
10:02:42.909906 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 275
10:02:43.248794 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 275
10:02:43.841123 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6675
10:02:43.921558 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 531
10:02:44.263806 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 531
10:02:44.842665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6931
10:02:44.923035 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 787
10:02:45.262390 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 787
10:02:45.844227 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 7187
10 packets captured
12 packets received by filter
0 packets dropped by kernel
The problem is :
I can pinging to 192.9.9.3 from only one of my stations at the same
time.(192.168.1.18)
Other stations show "Request timed out.", when i stop ping on 192.168.1.18,
then other station
begining to receive reply.
So... is there any problem with nating icmp packects in pf ?
Or this is just my mistake in pf.conf
notice:
i found other issue like this in ipfilter faq
(http://www.phildev.net/ipf/IPFprob.html#prob11) :
"11. I'm using NAT and I can't ping the same machine on the internet from two
different machines
on my LAN at the same time :
It isn't possible to map ports on ICMP packets. Hence, once a state table entry
is set up to a
particular target, only one machine can ping that target until the state table
entry expires.
For TCP and UDP, portmapping allows simultaneous connections to external
targets from multiple
machines in the LAN."
is this also right about pf ?
Thanks in advance
Pejman
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
