[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: IPNAT random dysfunction on Solaris 10 box
From: Benjamin Duclos <b.duclos () clipack ! com>
Date: 2006-10-04 16:36:23
Message-ID: 4523E307.5060003 () clipack ! com
[Download RAW message or body]
Hi list,
I have a dysfunction with NAT configuration on my NAT/Firewall gateway.
*** My network architecture looks like this :
-----------------| ----------------------------------
192.168.0.128/25 | ==> 192.168.0.1/32 | 82.127.75.77/32 ==> Internet
-----------------| ----------------------------------
LAN hme0 NAT/Firewall gateway sppp0
[NETWORK] [HOST] [NETWORK]
*** Environment description :
- uname -a : SunOS luinil 5.10 Generic sun4u sparc
SUNW,UltraSPARC-IIi-cEngine
- isainfo -vk : 64-bit sparcv9 kernel modules
- ipf -V :
ipf: IP Filter: v4.0.2 (592)
Kernel: IP Filter: v4.0.2
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
*** Custom configuration :
My /etc/ipnat.conf looks like this :
# Make NAT for internal non routable network to external public IP
provided by ISP
map sppp0 192.168.0.0/25 -> 82.127.75.77/32 portmap tcp/udp auto
map sppp0 192.168.0.128/25 -> 82.127.75.77/32 portmap tcp/udp auto
# Make NAT for external access to LAN for FTP and HTTP Web services
rdr sppp0 82.127.75.77/32 port 21 -> 192.168.0.3 port 21
rdr sppp0 82.127.75.77/32 port 80 -> 192.168.0.2 port 80
rdr sppp0 82.127.75.77/32 port 443 -> 192.168.0.2 port 443
*** Two examples :
To make this tests representatives I have squiz the internal gateway, so
all LAN hosts have the NAT/Firewall
gateway as default.
- I connect to a public website (site0) on Internet successfully while
an other host from the same subnet can't. I have captured some packets
with snoop utility and I note that the IP source of packets on external
network (hme1) interface is the internal IP source of the host instead
of the public IP provide by ISP. That's why I think this problem comes
from IPNAT. I 've check that IPFilter hasn't drop packets but I havn't
anything in IPFilter logs and, with snoop, I can view the packets on
hme1 interface.
- In the same way, we share a public web site accessible from the
Internet. All works fine until the customers get this error in his
browser : "The requested URL could not be retrieved".
Probably this two behaviours are bind ?
*** Possibilities :
- Perhaps a problem with portmap tcp/udp auto directive ?
- Is it better to specify a port range 1025:65536 than auto ?
- Does anybody has already encounter this problem ?
To know : This problems occurs in random way and are not regulars.
Thanks in advance for all your replies.
B.Duclos [ClipackCo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic