[Bug 283795] [pf] ICMP echo requests from Windows hosts dropped when NAT'ed

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 283795] ICMP echo requests from Windows hosts dropped when NAT'ed"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 02 Jan 2025 12:00:30 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283795

            Bug ID: 283795
           Summary: [pf] ICMP echo requests from Windows hosts dropped
                    when NAT'ed
           Product: Base System
           Version: 14.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: lbm@lbm.dk

When multiple Windows hosts ping the same external host, being NAT'ed through
pf, ICMP echo requests from all other than the first Windows host to initiate
the pinging are dropped.
Windows seems to set ICMP identifier based on uptime or alike, typically 0,
where others typically use the PID. This is not reproducible in FreeBSD 14.1.

Reproducible with three FreeBSD hosts using nping:

Configuration:

- router

/etc/rc.conf:
ifconfig_em0="DHCP"
ifconfig_em1="inet 10.10.10.1/24"
pf_enable="YES"
gateway_enable="YES"

/etc/pf.conf:
nat on em0 from em1:network to any -> em0

- client1

/etc/rc.conf:
ifconfig_em0="inet 10.10.10.2/24"
defaultrouter="10.10.10.1"

- client2

/etc/rc.conf:
ifconfig_em0="inet 10.10.10.3/24"
defaultrouter="10.10.10.1"

Test:

- On both clients: pkg install nmap
- client1: nping --icmp --icmp-type 8 --icmp-id 0 -c 0 8.8.8.8
- ICMP echo replies are received, keep nping running on client1
- client2: nping --icmp --icmp-type 8 --icmp-id 0 -c 0 8.8.8.8
- ICMP echo replies are NOT received on client2, echo requests dropped by
router

-- 
You are receiving this mail because:
You are the assignee for the bug.