NAT problem with icmp

Pejman Moghadam d_a_d_a_sh at yahoo.com
Wed Jul 20 05:46:46 GMT 2005 

Hi, 
Here is simple explanation :
This is my pf.conf
 
extif="{ ed0 }"
extip="{ (ed0) }"
table <lan> { 192.168.1.0/24 }
nat on $extif from <lan> to any -> $extip
pass all
 
I want to ping from my lan stations to a public dns server like 192.9.9.3
look at my state table:
 
# pfctl -ss
self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512       0:0
 
take a look to icmp traffic:
 
internal interface :
# tcpdump -c 10 -i dc0 -nq icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes
10:00:51.538006 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37394
10:00:51.671439 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43538
10:00:52.199114 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37650
10:00:52.538007 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37650
10:00:52.672876 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43794
10:00:53.210683 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37906
10:00:53.554918 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37906
10:00:53.674441 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 44050
10:00:54.212218 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 38162
10:00:54.551131 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 38162
10 packets captured
26 packets received by filter
0 packets dropped by kernel
 
external interface:
# tcpdump -c 10 -i ed0 -nq icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ed0, link-type EN10MB (Ethernet), capture size 96 bytes
10:02:42.839665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6419
10:02:42.909906 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 275
10:02:43.248794 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 275
10:02:43.841123 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6675
10:02:43.921558 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 531
10:02:44.263806 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 531
10:02:44.842665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6931
10:02:44.923035 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 787
10:02:45.262390 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 787
10:02:45.844227 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 7187
10 packets captured
12 packets received by filter
0 packets dropped by kernel
 
The problem is :
I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18)
Other stations show "Request timed out."
So... is there any problem with nating icmp packects in pf ?
Or this is just my mistake in pf.conf
 
Thanks in advance


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the freebsd-pf mailing list