pinging same host on the internet from two different LAN stations

Pejman Moghadam d_a_d_a_sh at yahoo.com
Wed Jul 27 04:59:11 GMT 2005


Melameth, Daniel D. wrote :
> FWIW, while I haven't looked into this in detail, it appears Windows
> clients always use the same ICMP ID--512...

I think this is right, beacuse of this state entry : 

self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512       0:0

but i have not any problem with windows clients when i use ipfw in freebsd or even iptables in
linux.
why same ICMP ID(512) is so important for PF? how can i deal with that ?


--- "Melameth, Daniel D." <dmelameth at mba-cpa.com> wrote:

> Daniel Hartmeier wrote:
> > On Tue, Jul 26, 2005 at 05:58:18AM -0700, Pejman Moghadam wrote:
> > > I have one FreeBSD 5.4 router/firewall box in my LAN that do NAT
> > > with PF. 
> > > The problem is I can't ping the same machine on the internet from
> > > two or more different machines on my LAN at the same time. only one
> > > of my LAN clients can ping that target, and pinging that target
> > > from another station is possible only when i stop pinging from
> > > first client.  
> > > Is there any way or any tool that ICMP portmapping allows
> > > simultaneous connections to external targets from multiple machines
> > > from the LAN? 
> > 
> > I don't believe you have actually tried this.
> > 
> > From one workstation (10.1.1.20)
> > 
> >   $ ping 199.185.137.3
> >   64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=218.693 ms
> >   64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=211.615 ms
> >   [...]
> > 
> > At the same time, from another workstation (10.2.2.11)
> > 
> >   $ ping 199.185.137.3
> >   64 bytes from 199.185.137.3: icmp_seq=0 ttl=235 time=195.604 ms
> >   64 bytes from 199.185.137.3: icmp_seq=1 ttl=235 time=194.387 ms
> > 
> > On the gateway which does NAT for both
> > 
> >   # pfctl -ss | grep icmp
> >   kue0 icmp 10.1.1.20:354 -> 62.65.145.30:354 -> 199.185.137.3:354 0:0
> >   kue0 icmp 10.2.2.11:19057 -> 62.65.145.30:19057 ->
> > 199.185.137.3:19057 0:0 
> > 
> > What looks like port numbers in the state is the ICMP ID, a number
> > chosen randomly for one ping invokation. pf uses this to dispatch
> > incoming replies from the external host to the appropriate internal
> > host.
> 
> FWIW, while I haven't looked into this in detail, it appears Windows
> clients always use the same ICMP ID--512...
> 
> 
> >echo %os%
> Windows_NT
> 
> >ping 199.185.137.3
> 
> Pinging 199.185.137.3 with 32 bytes of data:
> 
> Reply from 199.185.137.3: bytes=32 time=117ms TTL=242
> Reply from 199.185.137.3: bytes=32 time=118ms TTL=242
> Reply from 199.185.137.3: bytes=32 time=118ms TTL=242
> Reply from 199.185.137.3: bytes=32 time=118ms TTL=242
> 
> 
> # uname -a
> OpenBSD openbsdvm.internal.melameth.com 3.7 GENERIC#50 i386
> 
> # ping -c 5 199.185.137.3
> PING 199.185.137.3 (199.185.137.3): 56 data bytes
> 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=129.318 ms
> 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=128.110 ms
> 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=100.227 ms
> 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=159.927 ms
> 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=153.973 ms
> --- 199.185.137.3 ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 100.227/134.311/159.927/21.297 ms
> 
> 
> # uname -a
> OpenBSD mel.internal.melameth.com 3.7 GENERIC#50 i386
> 
> # ping -c 5 199.185.137.3
> PING 199.185.137.3 (199.185.137.3): 56 data bytes
> 64 bytes from 199.185.137.3: icmp_seq=0 ttl=242 time=117.295 ms
> 64 bytes from 199.185.137.3: icmp_seq=1 ttl=242 time=124.281 ms
> 64 bytes from 199.185.137.3: icmp_seq=2 ttl=242 time=115.875 ms
> 64 bytes from 199.185.137.3: icmp_seq=3 ttl=242 time=119.523 ms
> 64 bytes from 199.185.137.3: icmp_seq=4 ttl=242 time=123.472 ms
> --- 199.185.137.3 ping statistics ---
> 5 packets transmitted, 5 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 115.875/120.089/124.281/3.320 ms
> 
> 
> ...and the output from the gateway which reflects the machines above
> respectively:
> 
> $ sudo pfctl -ss | grep icmp
> self icmp 192.168.x.x:512 -> 207.224.x.x:512 -> 199.185.137.3:512
> 0:0
> self icmp 192.168.x.x:51726 -> 207.224.x.x:51726 -> 199.185.137.3:51726
> 0:0
> self icmp 192.168.x.x:5903 -> 207.224.x.x:5903 -> 199.185.137.3:5903
> 0:0
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 


More information about the freebsd-pf mailing list