Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Can anyone think of another solution? Thanks again Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I understand. I don't know if there is any ideal solution, but I'll offer a few suggestions. You may be able to run a second instance of natd that works on the internal interface and redirects traffic as you would like. This would be experimental: I have no idea if it would work and only a guess as to how to configure it. You could also put an alias IP address on the internal machine and manipulate the routing so it always goes the right place. This will probably be tricky, and each time I try to work it out in my head, I end up with a problem. But I suppose it's worth a try. (warning: you could effectively shut your network down by doing this wrong!) I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Well ... sometimes it takes a LOT of time an patience ... Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Unfortunately for you, I think running internal DNS is the closest to ideal that you're going to get. The basic concept is that outside on the internet, mail.domain.com resolves to the external interface that is forwarded to your internal machine. Inside your LAN, a custom DNS server answers your queries, and it points mail.domain.com directly to the machine on the local LAN. Thus, you only need put mail.domain.com into your POP3 config and it always points to the right place. I've also heard that newer versions of BIND have a more elegant way of doing the same thing, but I don't have any experience with that yet. Can anyone think of another solution? So far, only the other idea I describe above. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan [EMAIL PROTECTED] writes: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? Sure. Use the inside IP address of the server. You can run your own DNS server to make this easy. I do this with my home network; I run it on the same machine as the mail server, and the DNS isn't accessible from outside the home network. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: Hi there, I've been trying to route packets received on port via the external interface (used by NAT) of my FreeBSD gateway to the same port on a local machine. The manual would seem to make this simple stuff - I have added the following line to /etc/rc.conf: natd_flags=-redirect_port tcp 192.168.1.241: accessing this service on the local machine via the local address is fine but a port scan from the outside, reveals that the relevant ports appear closed still. Needless to say - the service is unavailable. I have tried entering the following on the command line (with and without the /etc/rc.conf flag): natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. HTH, Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Thanks Dan Unfortunately that doesn't seem to work either. I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 any other ideas? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. Use the natd_interface=xl0 syntax in /etc/rc.conf to add this to the startup procedure. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This will ensure it's picked up at boot time, as Bill stated, but won't affect the stuff you do on the commandline. any other ideas? If it's not because you are running as a non-root user, no, not really. Ta Matthew Ryan [EMAIL PROTECTED] -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This is redundant. You can remove the -n ep0 from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill and Dan, Thanks for your help guys it's sort of working now but for the record here's the story. All attempts to start port forwarding from the command line were failing because NATD was already running (enabled at boot time) DOH! b) natd isn't already running with different options when you try to start it on the command line? Well spotted Bill! The /etc/rc.conf entry: natd_flags=-redirect_port tcp 192.168.1.241: was fine since: natd_interface=ep0 specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Any clues? Thanks Again Matthew Ryan [EMAIL PROTECTED] Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This is redundant. You can remove the -n ep0 from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill Moran [EMAIL PROTECTED] writes: Matthew Ryan wrote: The /etc/rc.conf entry: natd_flags=-redirect_port tcp 192.168.1.241: was fine since: natd_interface=ep0 specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
