Re: natd problem -- pass specific IP to internal machine
Date: Fri, 14 Feb 2025 08:43:43 UTC
On 13/02/2025 17:03, Gary Aitken wrote: > On 2/12/25 05:42, Frank Leonhardt wrote: >> On 09/02/2025 17:28, Gary Aitken wrote: >>> my natd has been translating fine using: >>> >>> interface xl0 use_sockets yes same_ports yes unregistered_only yes >>> >>> However, I am having an issue with a particular internal system >>> (solar inverter) and I would like to be able to tcpdump it on the >>> external interface. >>> >> As no one experienced with natd has replied, an observation: After a >> decade or more of struggling with ipfw+natd, because it was the >> "FreeBSD" solution, I discovered PF and have never never looked back >> > Thanks, will think about moving to PF on my next major upgrade. > I think I started that a while ago but it got pushed aside. > > I was about to post I finally found the issue; I had limited ICMP to > specific > types quite a while ago and had mistakenly left off type 0, echo reply. > The old inverter I was replacing didn't use ICMP, but the new one probes > 8.8.8.8 (google) as a crude mechanism to determine if the "internet" is > connected. Getting no reply, it assumed the internet was unavailable and > wouldn't even attempt to communicate, even though it could ping its > gateway > just fine. Bad design. Most of my testing was from the internal network; > ipfw wasn't involved in those so everything appeared to work; and pinging > *from* an external system also worked. Once I realized the 8.8.8.8 > response > was arriving but not being passed on I could track it down. Thanks for the update - another pooh trap for us all to avoid! I may be just me, but I was surprised at how easy it was to switch to PF as it make sense in a way that IPFW didn't. That said I'm still using sendmail, which I know is a complete PITA but I guess I've just invested too might time in it to start again. Everyone tells me postfix is the way to go :-)