Date: Wed, 28 May 2003 00:32:22 +0200 (CEST) From: Soeren Straarup <none@xride--x12.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: Re: Natd/router vil ik´'
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 27 May 2003, Morten Kjaer Nielsen wrote:
> Hej!
>
> Det er så vist min første posting på listen, jeg har nydt de mange gode
> råd og snakke jeg har læst indtil nu, dejligt for en newbie som mig :-)
>
> Jeg er nu stødt ind i et for mig indtil videre underligt problem, og må
> ty til at bede om gode råd.
>
> Jeg har et setup der ligner dette...
>
> WAN|router|192.168.1.1 < -- > 192.168.1.6 vr0 |FBSD| dc0 172.16.0.1
> < -X-> 172.16.0.10|win98 maskine der skal på nette via FBSD|
>
> Når jeg pinger fra windows 98 maskinen og ud i verden får jeg ikke svar
> tilbage på win98 maskine, og det ville jeg jo gerne have, så jeg kan få
> den online :-)
>
> Nogen der har råd til hvad det kan være der forhindre den i at få svar?
>
> rc.conf:
> network_interfaces="vr0 dc0 lo0"
> inconfig_lo0="inet 127.0.0.1"
> ifconfig_vr0="inet 192.168.1.250 netmask 255.255.255.0"
Hvad er den "externe" ip på din freebsd box? .6 eller .250?
> defaultrouter="192.168.1.1"
> hostname="gateway"
> ifconfig_dc0="inet 172.16.0.1 netmask 255.255.255.0"
>
> gateway_enable="YES"
> firewall_enable="YES"
> natd_enable="YES"
> natd_interface="vr0"
> natd_flags="-f /etc/natd.conf"
>
> natd.conf
> log yes
> deny_incoming no
> port 8668
> use_sockets yes
> same_ports yes
> unregistered_only yes
> redirect_port tcp 172.16.0.10:143 143
> redirect_port tcp 192.168.1.177:1000 1000
> redirect_port tcp 192.168.1.177:1001 1001
>
> ipfw
> 00100 check-state
> 00200 count ip from any to any via dc0
> 00300 count ip from any to any via vr0
> 00400 allow tcp from any to any established
> 09000 divert 8668 ip from any to any via vr0
> 09100 allow icmp from any to any
> 30000 allow tcp from any to me 25,80,110 setup
> 50100 allow tcp from me to any setup
> 50200 allow udp from me to any keep-state
> 50300 allow icmp from me to any
> 50400 allow ip from me to any
> 55000 allow tcp from 192.168.1.0/24 to any setup
> 55100 allow udp from 192.168.1.0/24 to any keep-state
> 55300 allow tcp from 172.16.0.0/24 to any setup
> 55400 allow udp from 172.16.0.0/24 to any keep-state
> 55500 allow icmp from 172.16.0.0/24 to any
> 55600 allow icmp from 172.16.0.0/24 to any
> 55700 allow ip from 172.16.0.0/24 to any
> 55800 allow ip from 192.168.1.0/24 to any
> 60000 deny log logamount 100 ip from any to any
> 65535 allow ip from any to any
For mig at se ville det være sjovere at se en 'ipfw show' da den også
viser antal pakker der er røget i en regl.
>
> tcpdump på vr0 når jeg pinger:
> 22:13:53.074783 192.168.1.250 > 212.54.64.170: icmp: echo request
> 22:13:53.108653 212.54.64.170 > 192.168.1.250: icmp: echo reply
> 22:13:54.575934 192.168.1.250 > 212.54.64.170: icmp: echo request
> 22:13:54.609831 212.54.64.170 > 192.168.1.250: icmp: echo reply
> 22:13:56.075860 192.168.1.250 > 212.54.64.170: icmp: echo request
> 22:13:56.109779 212.54.64.170 > 192.168.1.250: icmp: echo reply
> 22:13:57.574948 192.168.1.250 > 212.54.64.170: icmp: echo request
> 22:13:57.608872 212.54.64.170 > 192.168.1.250: icmp: echo reply
> 22:13:59.074225 192.168.1.250 > 212.54.64.170: icmp: echo request
> 22:13:59.107091 212.54.64.170 > 192.168.1.250: icmp: echo reply
>
> tcpdump på dc0 når jeg pinger:
> 22:14:11.074724 172.16.0.10 > 212.54.64.170: icmp: echo request
> 22:14:11.109120 212.54.64.170 > 172.16.0.10: icmp: echo reply
> 22:14:12.574747 172.16.0.10 > 212.54.64.170: icmp: echo request
> 22:14:12.613597 212.54.64.170 > 172.16.0.10: icmp: echo reply
> 22:14:14.073678 172.16.0.10 > 212.54.64.170: icmp: echo request
> 22:14:14.107761 212.54.64.170 > 172.16.0.10: icmp: echo reply
> 22:14:15.573141 172.16.0.10 > 212.54.64.170: icmp: echo request
> 22:14:15.607773 212.54.64.170 > 172.16.0.10: icmp: echo reply
> 22:14:17.072959 172.16.0.10 > 212.54.64.170: icmp: echo request
> 22:14:17.105496 212.54.64.170 > 172.16.0.10: icmp: echo reply
>
> uddrag af natd-log
> May 27 22:47:45 gw /kernel: ipfw: 9100 Accept ICMP:0.0 212.54.64.170 172.16.0.10 out via dc0
> May 27 22:47:46 gw /kernel: ipfw: 9100 Accept ICMP:8.0 172.16.0.10 212.54.64.170 in via dc0
> May 27 22:47:46 gw /kernel: ipfw: 9100 Accept ICMP:8.0 192.168.1.250 212.54.64.170 out via vr0
> May 27 22:47:46 gw /kernel: ipfw: 9100 Accept ICMP:0.0 212.54.64.170 172.16.0.10 in via vr0
> May 27 22:47:46 gw /kernel: ipfw: 9100 Accept ICMP:0.0 212.54.64.170 172.16.0.10 out via dc0
>
> netstat -rn
> 23:14:06 root@gw2pc /var/log# netstat -rn
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default 192.168.1.1 UGSc 1 6046 vr0
> 127.0.0.1 127.0.0.1 UH 0 0 lo0
> 172.16/24 link#1 UC 1 0 dc0
> 172.16.0.10 00:80:ad:b6:5e:e5 UHLW 1 2601 dc0 1047
> 192.168.1 link#2 UC 3 0 vr0
> 192.168.1.1 00:20:6f:17:57:78 UHLW 1 0 vr0 692
> 192.168.1.177 00:50:ba:ea:29:b0 UHLW 1 9318 vr0 1096
> 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 20 vr0
>
> ifconfig:
> 23:14:39 root@gw2pc /var/log# ifconfig
> dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
> ether 00:08:a1:28:3c:55
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.1.250 netmask 0xffffff00 broadcast 192.168.1.255
> ether 00:0a:e6:41:ef:46
> media: Ethernet autoselect (10baseT/UTP)
> status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>
> tja..?
>
>
> --
> Hygge
> Morten, anden er løs... http://vWv.gummiand.dk/
>
>
Mvh Søren
Frisk bagt far.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+0+d5XTGeGCdlN14RArVRAKDlSctKaKLcCz09x6QQUqY/yzEswgCgovTZ
/shZJlLKJXGpQHfXk45x1W0=
=topR
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:29 CET