IPFW/IPNAT Troubles

Daniel Brown daniel at pugetsystems.com
Thu Dec 23 17:21:33 PST 2004 

Hi,

I am encountering a problem with a machine I just recently set up as a NAT router.  I am running 5.3-REL with ipfw and ipf loaded as modules (not compiled in).  These are the ipnat rules I have set up:

(I replaced my external IP with 22.22.22.22).

map sis0 192.168.1.0/24 -> 22.22.22.22/32 portmap tcp/udp auto
rdr sis0 22.22.22.22/32 port 80 -> 192.168.1.7 port 80
rdr sis0 22.22.22.22/32 port 443 -> 192.168.1.7 port 443
rdr sis0 22.22.22.22/32 port 143 -> 192.168.1.5 port 143
rdr sis0 22.22.22.22/32 port 110 -> 192.168.1.5 port 110
rdr sis0 22.22.22.22/32 port 25 -> 192.168.1.5 port 25
rdr sis0 22.22.22.22/32 port 22 -> 192.168.1.7 port 22
rdr sis0 22.22.22.22/32 port 53 -> 192.168.1.7 port 53

IPFW is set to allow all.

This works great for everything except for one small problem.  Here is what I think describes the problem best.  I sit down at an internal workstation (192.168.1.105), and type the things in brackets:

[nslookup]
[server 22.22.22.22]
[www.yahoo.com]

This is the response I get

Server:  22-22-22-22.example.net
Address:  22.22.22.22

*** 22-22-22-22.example.net can't find www.yahoo.com: No response from
 server

Now, if I query the server 192.168.1.7 with nslookup, it works great, resolves www.yahoo.com for me no problem.  So it looks like theres is some kind of problem with doing NAT translation to put the LAN's packets on the internet, and then realizing they are for an interface on the machine doing the NAT translation, then doing a port forward on that packet back into the LAN.

Here is some more information that might help: traffic from the outside, to 22.22.22.22 port 80, is directed to 192.168.1.7 port 80 just fine.  People are browsing the web site as we speak.  Same with the other port redirects, as far as I can tell.  It's just when trying to redirect traffic that originated inside the LAN when the problem comes up.  What I've done to partially resolve this issue for now is I've set up HOSTS files on the LAN so that we can access our own web site (so ourwebsite.com is 192.168.1.7 in our local HOSTS files).

Anyone have suggestions?

Thanks,

Dan

More information about the freebsd-questions mailing list