how to debug non-working hole in nat
Randy Bush
randy at psg.com
Tue Jan 3 06:40:12 UTC 2012
FreeBSD gate0.psg.com 8.2-STABLE FreeBSD 8.2-STABLE #8: Sat Dec 24 13:39:45 GMT 2011 root at gate0.psg.com:/usr/obj/usr/src/sys/GATE0 i386
i have a working natd setup and am trying to punch a hole in it for ssh
to an internal host.
.------------------------------.
| |
| b --wlan0|
| r | 192.168.0.0/24
WAN IIJ | i --- vr1| LAN hosts,
PPP/NAT ---|vr0[PPPoE][ppp]tun0--d | DHCP Clients
| g --- vr2| ...
| e |
| 0 --- vr3|
| |
`------------------------------'
i am trying to do it all in /etc/rc.conf, though i am not wedded to
doing so. i will append the tasty bits.
when tring to ssh in from outside, i get
% ssh -p 60022 gate0
< long pause >
ssh: connect to host gate0.psg.com port 60022: No route to host
i have no problem sshing to the target host from within the LAN
% ssh 192.168.0.34
Last login: Tue Jan 3 06:16:07 2012 from 192.168.0.1
tcpdump of bridge0 of the gateway shows nothing except the target host
polling dropbox.com occasionally. /etc/ipfw.rules is quite bland, and
the rest of the 15 machines on the LAN have no complaints.
flush
add deny log all from any to any ipoptions ssrr,lsrr,rr
add pass all from any to any via lo0
add deny log all from 127.0.0.0/8 to any
add deny log all from any to 127.0.0.0/8
add divert natd all from any to any via bridge0
add deny tcp from any to me smtp
add 65530 pass all from any to any
any clues on how i debug?
randy
---
hostname=gate0.psg.com
firewall_enable=YES
firewall_type=/etc/ipfw.rules
firewall_quiet=YES
firewall_logging=YES
ppp_enable=YES
ppp_mode=dedicated
ppp_profile=iij
wlans_ath0="wlan0 wlan1"
create_args_wlan0="wlanmode ap mode 11g channel 11 up"
cloned_interfaces=bridge0
ifconfig_bridge0="192.168.0.1 addm vr1 addm vr2 addm vr3 addm wlan0 addm wlan1 up"
ifconfig_vr1=up
ifconfig_vr2=up
ifconfig_vr3=up
hostapd_enable=YES
natd_enable=YES
natd_interface=bridge0
natd_flags="-redirect_port tcp 192.168.0.34:22 60022"
gateway_enable=YES
-30-
More information about the freebsd-net
mailing list