[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: IPF/IPNAT and traceroute.
From:       "J.C. Roberts" <unknown () abac ! com>
Date:       2001-04-30 8:18:34
[Download RAW message or body]

On Sun, 29 Apr 2001 17:15:36 -0700 (PDT), you wrote:

>I have a few machines NATing behind an OpenBSD
>machine... For whatever reason, I can't traceroute to
>anything external from the internal machines. (I can
>traceroute from the OpenBSD machine, however.)  
>
>Does anyone know if there are any tricks to getting
>traceroute to work?  My IPF rules dont block anything
>(they just log anything coming into suspicious ports).
> But since I cant traceroute from the OpenBSD machine,
>I'm thinking it's an IPNAT problem instead of an IPF
>problem.  Here are my IPNAT rules:
>
>map fxp1 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
>map fxp1 192.168.0.0/24 -> 0/32 portmap tcpudp 10000:40000
                                           ^
                                         tcp/udp
>map fxp1 192.168.0.0/24 -> 0/32
>
>Any recommendations?  Thanks!

The edit above shouldn't affect you ICMP problem and you may actually
be correct with the syntax "tcpudp" versus "tcp/udp" since it could
have changed in newer versions.

I'm running basically the same thing you are but with xl0 being the
external public IP interface and xl1 being the internal private IP
interface. The rules I'm using for ipnat are:

map xl0 xl1/24 -> xl0/32 proxy port ftp ftp/tcp
map xl0 xl1/24 -> xl0/32 portmap tcp/udp 10000:20000
map xl0 xl1/24 -> xl0/32

Traceroute works from all machines on the private subnet. Since
/etc/netstart initializes network interfaces before ipnat is called,
you can use their device names. I've got fixed IP addresses on
everything, so I'm not too sure how well this works for systems
getting their public IP (xl0) by DHCP. You probably will need a cron
job to check if the IP changes and then run 
ipnat -FC -f /etc/ipnat.rules
if it does but this might also be the case with the "0/32" method
you're using.

Please note, I'm no expert with any of this but I do happen to have it
working and figured you'd might want to know. 

Best Regards,
JCR

[prev in list] [next in list] [prev in thread] [next in thread]