NATd issue

[David DU SERRE TELMON]

Hi,

I've the network below :

192.168.2.0/23
|
192.168.3.454 FreeBSD
x.x.x.x router 1 (dialup)
|
Internet
|
y.y.y.y FreeBSD
10.0.0.254 router 2
|
10.0.0.0/24

Each gateway run racoon.
Each network can go on Internet.
VPN is ok.

I would like to NAT packets from 192.168.2.0/23 to 10.0.0.0/24 with IP 
192.168.3.254 on router 1 (or 10.0.0.254 if it's possible). VPN 
interface is gif5 on router 1.


My ipfw rules :
dialup:~# ipfw show | grep 8670
00650 4 400 divert 8670 ip from 192.168.2.0/23 to 10.0.0.0/24
00660 4 400 divert 8670 ip from 10.0.0.0/24

natd in debug mode :

dialup:~# natd -v -p natd-vpn -interface gif5
natd[42308]: Aliasing to 192.168.3.254, mtu 1280 bytes
In [ICMP] [ICMP] 192.168.3.82 - 10.0.0.1 8(0) aliased to
[ICMP] 192.168.3.82 - 10.0.0.1 8(0)
Out [ICMP] [ICMP] 10.0.0.1 - 192.168.3.82 0(0) aliased to
[ICMP] 10.0.0.1 - 192.168.3.82 0(0)

gif5 is the vpn tunnel interface

dialup:~# ifconfig gif5
gif5: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280
tunnel inet x.x.x.x -- y.y.y.y
inet 192.168.3.254 -- 10.0.0.254 netmask 0x

As you can see, packets are not translated with IP 192.168.3.54.

Same result with natd -p natd-vpn -a 192.168.3.254.

I think the solution will be with -reverse, when I use it, packets are 
natd (ping from 192.168.3.61 to 10.0.0.1) :


dialup:/etc# natd -v -p natd-vpn -reverse -interface gif5
natd[43271]: Aliasing to 192.168.3.254, mtu 1280 bytes
In [ICMP] [ICMP] 192.168.3.61 - 10.0.0.1 8(0) aliased to
[ICMP] 192.168.3.254 - 10.0.0.1 8(0)

tcmpdump on remote gateway :
11:26:44.641090 IP 192.168.3.254  10.0.0.1: icmp 64: echo request seq 0
11:26:44.641240 IP 10.0.0.1  192.168.3.254: icmp 64: echo reply seq 0

But I haven't got any reply on localsite (192.168.2.0/23), I haven't got 
packet OUT on natd.


David.

Thanks !

Have a nice Christmas !
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

weird natd issue (maybe reinjection trouble?)

[Lewis Thompson]

# please cc me!  I've just got to university and can't get all my mail
# right now.  It'd really help a lot.  Thanks!

Hi,

I'm having trouble with natd on a dual-homed host.  I've done my best to
troubleshoot the problem but I'm no networking expert and I'm hoping
it's something I've overlooked.

  I have two machines -- clientmachine (also
black.lewiz.org/192.168.0.12) and natdmachine (also
purple.lewiz.org/192.168.0.1, lh014.halls.umist.ac.uk/130.88.163.14).
natdmachine can access the Internet fine -- I can use the web, ping,
etc.  However, when it comes to natting the connection I stumble across
problems.

  First of all ICMP ping works and I get replies.  Some nat stuff is
going on and seemingly working.  However, if I try and access the web
(through a proxy at UMIST) the trouble starts.  It seems to me that the
following is happening (the ``evidence'' from tcpdump and natd is shown
below):

clientmachine attempts to access site through proxy.  The default route
is to natdmachine.  This arrives at natdmachine and gets passed through
natd, which then duly sends out the packet to the proxy.  Fine.  The
response from the proxy comes back, goes through natd (which realises
where the packet is bound) and then... well, nothing.  It's very much as
though natd doesn't spit the packet back out.  I have searched for
reinjection problems but afaik this is not it (please tell me I'm
wrong!)

  I've not included the log outputs for an ICMP ping but it basically
shows:

22:43:20.207183 black.lewiz.org  216.239.37.99: icmp: echo request
22:43:20.288565 216.239.37.99  black.lewiz.org: icmp: echo reply

on natdmachine's local interface (sis0).  With an attempt to access the
proxy all I get is the equivalent of a request but no response (despite
it being processed by natd).

  *ANY IDEAS AT ALL* would be greatly appreciated!  I'm really stuck
here and I'm no routing/natting genius.  If it's something simple I'm
sorry (but glad).  I can provide any details required.  Thanks very
much,

# logs.  all snipped as i saw appropriate.  if you want more verbosity,
# just ask!

clientmachine# tcpdump -i rl0  (rl0 is clientmachine's only if (internal))
22:33:05.514351 black.lewiz.org.49205  kevin.umist.ac.uk.3128: S 4110987312:411
0987312(0) win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 1658030 0 (DF)

natdmachine# tcpdump -i sis0  (sis0 is internal if)
22:33:06.391596 black.lewiz.org.49205  kevin.umist.ac.uk.3128: S 4110987312:411
0987312(0) win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 1658650 0 (DF)

natdmachine# /sbin/natd -n rl0 -v  (rl0 is internet/external if)
Out [TCP]  [TCP] 192.168.0.12:49205 - 130.88.96.65:3128 aliased to
   [TCP] 130.88.163.14:49205 - 130.88.96.65:3128
In  [TCP]  [TCP] 130.88.96.65:3128 - 130.88.163.14:49205 aliased to
   [TCP] 130.88.96.65:3128 - 192.168.0.12:49205

natdmachine# tcpdump -i rl0  (rl0 is internet/external if)
22:33:06.391813 lh014.halls.umist.ac.uk.49205  kevin.umist.ac.uk.3128: S 411098
7312:4110987312(0) win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 1658650 0
 (DF)
22:33:06.392139 kevin.umist.ac.uk.3128  lh014.halls.umist.ac.uk.49205: S 355908
4666:3559084666(0) ack 4110987313 win 5792 mss 1460,nop,nop,timestamp 944903651
 1658030,nop,wscale 0 (DF)
# no response from lh014 here
22:33:06.878969 kevin.umist.ac.uk.3128  lh014.halls.umist.ac.uk.49204: S 351740
0283:3517400283(0) ack 3127196455 win 5792 mss 1460,nop,nop,timestamp 944903700
 1654158,nop,wscale 0 (DF)

-lewiz.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]