NAT works but port forwarding does not

Zeno Lee zeno_lee at hotmail.com
Tue Dec 14 14:15:01 PST 2004 

Yes I can reach the web server via the gateway I did a simple telnet to port 
80 and did a GET on index.html.

em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::211:43ff:fecd:19d6%em0 prefixlen 64 scopeid 0x1
        inet 160.79.174.98 netmask 0xfffffff8 broadcast 160.79.174.103
        ether 00:11:43:cd:19:d6
        media: Ethernet autoselect (100baseTX <half-duplex>)
        status: active

em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet6 fe80::211:43ff:fecd:19d7%em1 prefixlen 64 scopeid 0x2
        inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:11:43:cd:19:d7
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active



tcpdump of em0 (external interface) during a web request:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
17:07:02.077447 IP user-0cdfece.cable.mindspring.com.4220 > 
pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 <mss 
1460,nop,nop,sackOK>
17:07:02.077474 IP pbx.streetsolutions.com.http > 
user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1534882457 win 0
17:07:02.461973 IP user-0cdfece.cable.mindspring.com.4220 > 
pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 <mss 
1460,nop,nop,sackOK>
17:07:02.461988 IP pbx.streetsolutions.com.http > 
user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1 win 0
17:07:02.889477 IP pbx.streetsolutions.com.63430 > 
ns1.east.us.intellispace.net.domain:  61596+ PTR? 
142.185.215.24.in-addr.arpa. (45)
17:07:02.900474 IP ns1.east.us.intellispace.net.domain > 
pbx.streetsolutions.com.63430:  61596 1/7/8 (383)
17:07:03.032150 IP user-0cdfece.cable.mindspring.com.4220 > 
pbx.streetsolutions.com.http: S 1534882456:1534882456(0) win 65535 <mss 
1460,nop,nop,sackOK>
17:07:03.032168 IP pbx.streetsolutions.com.http > 
user-0cdfece.cable.mindspring.com.4220: R 0:0(0) ack 1 win 0
17:07:03.898931 IP pbx.streetsolutions.com.54055 > 
ns1.east.us.intellispace.net.domain:  61597+ PTR? 130.6.79.160.in-addr.arpa. 
(43)
17:07:03.902284 IP ns1.east.us.intellispace.net.domain > 
pbx.streetsolutions.com.54055:  61597* 1/1/1 (119)

tcpdump of em1 during a web request shows no visible traffic between em0 and 
em1


----- Original Message ----- 
From: "Claudiu Dragalina-Paraipan" <dr.clau at gmail.com>
To: <freebsd-pf at freebsd.org>
Cc: <zeno_lee at hotmail.com>
Sent: Tuesday, December 14, 2004 4:58 PM
Subject: Re: NAT works but port forwarding does not


>I think that NAT would not work either without
> net.inet.ip.forwarding=1, so I assume it is already set to 1.
> Can you access the webserver (192.168.1.54) from the FreeBSD gateway ?
> What are the settings for em1 interface ?
>
>
> On Tue, 14 Dec 2004 16:47:01 -0500, Paul J. Pathiakis
> <pathiaki at pathiaki.com> wrote:
>> Hi,
>>
>>         just getting back into the networking side of things, but did you 
>> turn on packet
>> forwarding? (it should be on if you turned on gateway enable <-I think) 
>> Do a:
>> sysctl -a | grep forward
>> do you get a "1".
>>
>>         I may be way off, but I am trying to help. :-)
>>
>>         P.
>>
>>
>> On Tuesday 14 December 2004 16:34, Zeno Lee wrote:
>> > I am just starting off with PF.  I had it compiled into the kernel in 
>> > 5.3
>> > stable.  I have not setup any rules yet.  I'm just trying to set up NAT 
>> > and
>> > forwarding.
>> >
>> > My network setup
>> >
>> > Internet <----> em0 | FreeBSD | em1 <----->  LAN
>> >
>> >
>> > my pf.conf file only has:
>> >
>> > ext_if="em0"
>> > int_if="em1"
>> > webserver="192.168.1.54"
>> >
>> > nat on $ext_if from $int_if:network to any -> ($ext_if)
>> > rdr on $ext_if from any to any port 80 -> $webserver
>> >
>> >
>> > NAT works, however, I cannot get port forwarding to work.  I am testing 
>> > it
>> > vial a remote  computer on the internet whose packets only come through 
>> > em0.
>> >
>> > Am I missing anything here?
>> > _______________________________________________
>> > freebsd-pf at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>> >
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>
>
> -- 
> Claudiu Dragalina-Paraipan
> e-mail: dr.clau at gmail.com
>

More information about the freebsd-pf mailing list