[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    icmp network unreach(able)
From:       Sweet Abby Guenther <abigailsweetashoneygigglelots () gmail ! com>
Date:       2011-02-13 6:37:57
Message-ID: 18147_1297579832_4D577F38_18147_1672_1_AANLkTimiOgp48GF9WpzbWQRx55cC8wwWC_NtxybMVc+R () mail ! gmail ! com
[Download RAW message or body]

We have a large private network (10.0.0.0/8) to which we need to allow
enterprise users access from (172.16.0.0/12) running on netbsd 5.x (ipf
v4.1.29).

The public side nat ip's are 192.168.100.0/24.

/etc/ipnat.conf has various lines mapping ip subnets of the enterprise to
special ips thusly:
map bge0 172.16.0.0/16 -> 192.168.1.4/32 portmap tcp auto
map bge0 172.17.0.0/16 -> 192.168.1.5/32 portmap tcp auto
map bge0 172.18.0.0/16 -> 192.168.1.6/32 portmap tcp auto
map bge0 172.19.0.0/16 -> 192.168.1.7/32 portmap tcp auto
etc.

/etc/ipnat.conf also has internal private network ip's mapped one to one
with 192.168.100.0/24 thusly:
map bge1 10.1.2.3/32 -> 192.168.100.7/32 portmap tcp auto
map bge1 10.1.20.4/32 -> 192.168.100.8/32 portmap tcp auto
map bge1 10.1.2.5/32 -> 192.168.100.9/32 portmap tcp auto
map bge1 10.1.34.88/32 -> 192.168.100.10/32 portmap tcp auto
etc.

/etc/ipf.conf allows ports 12000 thru 12100 thru for all hosts with no port
translation.

My issue is that the nat is not working even though ipmon shows all the
packets passing without issue.  When I snoop on the internal network I see
messages like "ICMP NETWORK UNREACH".  I also see the connection starting on
"netstat -an" output but hung with a state of "SYN_RCVD".

The internal host has the proper route in "netstat -nr" and knows how to
reach 192.168.1.0/24.

So what am I doing wrong?

I hope this is detailed enough to help y'all.

Thanks, Abby

[Attachment #3 (text/html)]

<br>We have a large private network (<a href="http://10.0.0.0/8">10.0.0.0/8</a>) to \
which we need to allow enterprise users access from (<a \
href="http://172.16.0.0/12">172.16.0.0/12</a>) running on netbsd 5.x (ipf \
v4.1.29).<br> <br>The public side nat ip&#39;s are <a \
href="http://192.168.100.0/24">192.168.100.0/24</a>.  <br><br>/etc/ipnat.conf has \
various lines mapping ip subnets of the enterprise to special ips thusly:<br>map bge0 \
<a href="http://172.16.0.0/16">172.16.0.0/16</a> -&gt; <a \
href="http://192.168.1.4/32">192.168.1.4/32</a> portmap tcp auto<br> map bge0 <a \
href="http://172.17.0.0/16">172.17.0.0/16</a> -&gt; <a \
href="http://192.168.1.5/32">192.168.1.5/32</a> portmap tcp auto<br>map bge0 <a \
href="http://172.18.0.0/16">172.18.0.0/16</a> -&gt; <a \
href="http://192.168.1.6/32">192.168.1.6/32</a> portmap tcp auto<br> map bge0 <a \
href="http://172.19.0.0/16">172.19.0.0/16</a> -&gt; <a \
href="http://192.168.1.7/32">192.168.1.7/32</a> portmap tcp auto<br> \
etc.<br><br>/etc/ipnat.conf also has internal private network ip&#39;s mapped one to \
one with <a href="http://192.168.100.0/24">192.168.100.0/24</a> thusly:<br>map bge1 \
<a href="http://10.1.2.3/32">10.1.2.3/32</a> -&gt; <a \
href="http://192.168.100.7/32">192.168.100.7/32</a> portmap tcp auto<br>


map bge1 <a href="http://10.1.20.4/32">10.1.20.4/32</a> -&gt; <a \
href="http://192.168.100.8/32">192.168.100.8/32</a> portmap tcp auto<br>


map bge1 <a href="http://10.1.2.5/32">10.1.2.5/32</a> -&gt; <a \
href="http://192.168.100.9/32">192.168.100.9/32</a> portmap tcp auto<br>


map bge1 <a href="http://10.1.34.88/32">10.1.34.88/32</a> -&gt; <a \
href="http://192.168.100.10/32">192.168.100.10/32</a> portmap tcp auto<br>


etc.<br><br>/etc/ipf.conf allows ports 12000 thru 12100 thru for all hosts with no \
port translation.<br><br>My issue is that the nat is not working even though ipmon \
shows all the packets passing without issue.  When I snoop on the internal network I \
see messages like &quot;ICMP NETWORK UNREACH&quot;.  I also see the connection \
starting on &quot;netstat -an&quot; output but hung with a state of \
&quot;SYN_RCVD&quot;.<br> <br>The internal host has the proper route in &quot;netstat \
-nr&quot; and knows how to reach <a href="http://192.168.1.0/24">192.168.1.0/24</a>.  \
<br><br>So what am I doing wrong?<br><br>I hope this is detailed enough to help \
y&#39;all.<br> <br>Thanks, Abby<br>



[prev in list] [next in list] [prev in thread] [next in thread]