natd problem (but close!)

The Bean beantaxi at yahoo.com
Fri Dec 26 09:27:10 PST 2003 

Hi all,

I've been trying to get natd up on a FreeBSD 4.9-Stable box. 
I think I've followed every step, and it's still not quite working, 
although I believe it's getting close. My dual-homed box has 
two interfaces: internal ed0=10.13.0.1/8, and external 
xl0=xx.yy.zz.187/29 (note I've cleverly obscured the IP). 

Here's what I've done on the dual-homed box:
- Kernel compiled with IPFIREWALL & IPDIVERT
- gateway_enabled="YES", verified with sysctl -a list | grep ipforwarding
- firewall set to open
- natd_enabled="YES"
- natd_interface=my external interface
- natd_flags=-f /etc/natd.conf
- /etc/natd.conf contains one line: redirect_address 10.0.0.13 xx.yy.zz.186, 
where xx.yy.zz.186 is the desired public IP for a client on my internal 
network, whose internal IP is 10.0.0.13

On my client, I've set the default router to 10.13.0.1, which is the IP for the 
internal interface for the gateway box.

The gateway can access the Internet just fine. The client has some problems, 
which I've attempted to diagnose by running tcpdump on the gateway, and 
trying a ping and a lynx from the client. Here are the results, as reported
by the gateway:

ping 151.164.1.8 (from client to one of my ISP's nameservers)
-----
10:14:39.738942 xx.yy.zz.186 > 151.164.1.8: icmp: echo request
10:14:39.760288 151.164.1.8 > xx.yy.zz.186: icmp: echo reply
10:14:40.748798 xx.yy.zz.186 > 151.164.1.8: icmp: echo request
10:14:40.770406 151.164.1.8 > xx.yy.zz.186: icmp: echo reply
(etc)

lynx www.yahoo.com
-----
10:16:55.827709 xx.yy.zz.186.2559 > 216.109.118.64.http: S 552730403:552730403(0) win 57344 <mss
1460,nop,wscale 0,nop,nop,timestamp 35611940 0> (DF)
10:16:55.920315 216.109.118.64.http > xx.yy.zz.186.2559: S 2144501521:2144501521(0) ack 552730404
win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 582477747 35611940> (DF)

On both ping and lynx, the client hangs. It doesn't report any problems (other than
timeout). It just hangs. Also, tcpdump reports packets as being received by 'filter',
and reports 0 packets dropped by kernel.

What's interesting to me, is that in both cases it looks like the connection is 
being made. Since the gateway is referring to xx.yy.zz.186, which is my alias in 
natd.conf for the client, it looks like natd is working to some extent -- the 
client's NIC is configured only as 10.0.0.13 and so the only reason the gateway 
would be using 66.139.244.186 would be because natd said so. However, it almost seems
like the gateway can't go in the other direction, like it has no idea that 
packets destined for 66.139.244.186 should be directed to 10.0.0.13. This, even
though it knows to rewrite packets coming *from* 10.0.0.13 as having come
from 66.139.244.186.

One other data point: my gateway can ping the client's internal IP, but not
its external IP.

Does sound familiar to anyone? I'm hopeful that it's something small.

Thank you,
T.B.



__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

More information about the freebsd-questions mailing list