Re: natd problem -- pass specific IP to internal machine

On 2/12/25 05:42, Frank Leonhardt wrote:
> On 09/02/2025 17:28, Gary Aitken wrote:
>> my natd has been translating fine using:
>> 
>> interface xl0 use_sockets yes same_ports yes unregistered_only yes
>> 
>> However, I am having an issue with a particular internal system
>> (solar inverter) and I would like to be able to tcpdump it on the
>> external interface.
>> 
> As no one experienced with natd has replied, an observation: After a
> decade or more of struggling with ipfw+natd, because it was the
> "FreeBSD" solution, I discovered PF and have never never looked back
> after fifteen years. I just wish someone had told me earlier. The
> FreeBSD documentation gives equal weight to multiple solutions in
> various places and would be better if it said "this is the old
> system that hardly anyone uses" more often, so you knew which to
> pick first.
Thanks, will think about moving to PF on my next major upgrade.
I think I started that a while ago but it got pushed aside.

I was about to post I finally found the issue; I had limited ICMP to specific
types quite a while ago and had mistakenly left off type 0, echo reply.
The old inverter I was replacing didn't use ICMP, but the new one probes
8.8.8.8 (google) as a crude mechanism to determine if the "internet" is
connected.  Getting no reply, it assumed the internet was unavailable and
wouldn't even attempt to communicate, even though it could ping its gateway
just fine.  Bad design.  Most of my testing was from the internal network;
ipfw wasn't involved in those so everything appeared to work; and pinging
*from* an external system also worked.  Once I realized the 8.8.8.8 response
was arriving but not being passed on I could track it down.

Gary