DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default nat HELP

So, I have been running FreeBSD as my router for sometime now and like it a lot, ran into a problem recently however

I've managed to forward ports to PCs across my network without problem until I tried to forward some UDP for a game, it doesn't work.

Code:
nat on $ext1 from !($ext1) -> ($ext1:0)
rdr on $ext1 proto {tcp, udp} from any to any port {1234} -> $pc1
above configuration does not work. I think the packets make it to the game but PF does something to them and the game doesn't recognize them (I'm no expert but that's what I've gathered so far).

Code:
binat on $ext1 from $pc1 to any -> $ext1
above works fine, games and all applications on pc1 can connect out and accept connections, one major flaw though, the rest of my network has no internet connectivity!

Some people have suggested I get another IP from my ISP and binat 1 to pc1 and nat the second to the rest of my lan, this would be fine if my ISP allowed static IPs. I am actually allowed 2 IPs but they have to be obtained with DHCP and can only obtain one per interface so as far as I can tell... I would have to setup my network as layed out in the attached image. Seems a little crazy to me to change the network so much (1 new switch, 2 new nic in gateway) just to get a game working. I should also note the game worked fine when I forwarded port 1234 when I was using some $20 Linksys POS.

Finally, I had the idea to create a virtual interface on the gateway and bridge it to my modem's interface, this might allow me to set the MAC sent to my ISP DHCP server thus it leasing me the second IP. No idea how to create virtual interfaces or bridge on FreeBSD though :P
( page that give me this idea http://ezine.daemonnews.org/200406/netgraph.html )

Thanks in advance to anyone that helps me figure this out!!
Attached Images
File Type: jpg insane.jpg (16.0 KB, 64 views)
Reply With Quote
  #2   (View Single Post)  
Old 1st February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You only show a PF rule fragment, so these are just guesses:

Guess #1: redirected traffic is blocked, you lack a pass rule for the redirected traffic.
Quote:
Originally Posted by PF Users Guide
NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based on the filter rules that have been defined.
Guess #2: the traffic is passed, but the source is sending fragmented packets with the "don't fragment" bit set, which are being dropped by PF traffic normalization due to your scrub rule.

The pflog(4) facility can be used to determine if blocking is occurring. If your problem is due to your "scrub" rule, you can either change the rule and retest, or examine the packets on $ext1 and compare them with packets on $pc1.
Reply With Quote
  #3   (View Single Post)  
Old 1st February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Sounds like a classic case of.. rdr without a pass.

Code:
rdr on $ext1 inet proto { tcp, udp } from any to any port 1234 -> $pc1
pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1234
In the future, post your complete pf configuration.
Reply With Quote
  #4   (View Single Post)  
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

pf.conf
Code:
ext1="nfe0"
int1="rl0"

pc1="10.0.0.2"
pc2="10.0.0.3"

set skip on lo

# only one of the following 2 lines uncommented at a time!
nat on $ext1 from !($ext1) -> ($ext1:0)
#binat on $ext1 from $pc1 to any -> $ext1

rdr-anchor "miniupnpd"

rdr on $ext1 proto tcp from any to any port 54378 -> $pc1
rdr on $ext1 proto tcp from any to any port 1337 -> $pc1
rdr on $ext1 proto tcp from any to any port 3389 -> $pc1
rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1
rdr on $ext1 proto {tcp, udp} from any to any port 1234 -> $pc1
rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2

anchor "miniupnpd"
Reply With Quote
  #5   (View Single Post)  
Old 2nd February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

That's interesting.. but did you even read my reply?
Reply With Quote
  #6   (View Single Post)  
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

ofc i read it, did you even look at my pf.conf? there is no need to pass.
Reply With Quote
  #7   (View Single Post)  
Old 2nd February 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Just humour me.

http://www.openbsd.org/faq/pf/rdr.html#filter
Reply With Quote
  #8   (View Single Post)  
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

I have no "block in" in pf.conf so the need to pass has been removed. But you have been humored I added the pass rule and same result, game does not work.

pf.conf is now
Code:
# macros
ext1="nfe0"
ext2="ngeth0"
int1="rl0"

pc1="10.0.0.2"
pc2="10.0.0.3"

# options
#set block-policy return
#set loginterface $ext_if
set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext1 from !($ext1) -> ($ext1:0)
#binat on $ext1 from $pc1 to any -> $ext1
#nat on $ext2 from !($ext2) -> ($ext2:0)
rdr-anchor "miniupnpd"

# uTorrent
rdr on $ext1 proto tcp from any to any port 45853 -> $pc1

# Apache
rdr on $ext1 proto tcp from any to any port 1337 -> $pc1

# Remote Desktop
rdr on $ext1 proto tcp from any to any port 3389 -> $pc1

# Hamachi
rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1

# Red Alert 2 / Yuri's Revenge
#rdr on $ext_if proto tcp from any to any port {3840, 4005, 4808, 4810, 4995, 7000, 7001, 7002} -> $comp1
#rdr on $ext_if proto udp from any to any port {1234, 1235, 1236, 1237, 4000, 5400} -> $comp1

# Tiberian Sun
rdr on $ext1 proto {tcp, udp} from any to any port 1234 -> $pc1

# Xbox Live
#rdr on $ext_if proto udp from any to any port 88 -> $comp2
rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2

#rdr on $ext_if proto {tcp, udp} from any to any port 1:65535 -> $comp1

anchor "miniupnpd"

pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1234
EDIT1:

Quote:
Packet before the rdr rule is processed:

* Source address: 192.0.2.1
* Source port: 4028 (arbitrarily chosen by the operating system)
* Destination address: 24.65.1.13
* Destination port: 80

Packet after the rdr rule is processed:

* Source address: 192.0.2.1
* Source port: 4028
* Destination address: 192.168.1.5
* Destination port: 8000
My money is on that being the problem, any way to stop PF from altering packets?

Last edited by dextro; 2nd February 2009 at 08:58 AM.
Reply With Quote
  #9   (View Single Post)  
Old 2nd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The "alteration" you describe from the PF user's guide was an *intentional* port redirection to a new port number (80 -> 8000). That doesn't apply to your situation. None of your destination port numbers are changed in the rdr rules you've published in this thread.

Packet normalization ("scrub") was not enabled in your original pf.conf in post #4, above. It was one of my guesses as to a possible source to your problem. Now that you have it enabled, per post #8, packet normalization can change packets destined for your private network. According to the PF Users Guide:
Quote:
...some multi-player games have connection problems passing through PF with scrub enabled.
My next guess, as guess it is...is that you're missing some necessary ports in your redirect list.

To confirm this possibility, you must analyze the packets entering your external interface with a tool such as tcpdump(1), and compare that with the packets being passed to your internal interface. Not only will it show you if your remote game server is sending packets to ports you've not listed, it will show you if the packets are being redirected as you expect.
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

What should this tcpdump command look like? My tcpdump knowledge is minimal.
Reply With Quote
Old 2nd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Something like:

# tcpdump -neti <interface> host <remote server>

Disclaimer -- there may be a syntax error in the above example. I'm not at a machine with tcpdump access at the moment. Please review the tcpdump man page; the link is in post #9.
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

I did a tcpdump -vv udp then played a game and got:
Code:
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes
06:20:36.618694 IP (tos 0x0, ttl 112, id 64720, offset 0, flags [none], proto UDP (17), length 131) 195.189.97.122.57944 > 207.6.123.87.45853: UDP, length 103
06:20:37.435792 IP (tos 0x0, ttl 64, id 1928, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.58444 > 75.154.133.68.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43)
06:20:37.481066 IP (tos 0x0, ttl 247, id 27864, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.68.domain > 207.6.123.87.58444: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain]
06:20:38.213907 IP (tos 0x0, ttl 107, id 58831, offset 0, flags [none], proto UDP (17), length 126) 78.131.211.178.27370 > 207.6.123.87.45853: UDP, length 98
06:20:40.509953 IP (tos 0x0, ttl 116, id 59345, offset 0, flags [none], proto UDP (17), length 90) 222.83.215.126.16001 > 207.6.123.87.45853: UDP, length 62
06:20:40.799499 IP (tos 0x0, ttl 114, id 9179, offset 0, flags [none], proto UDP (17), length 126) 210.253.80.120.13899 > 207.6.123.87.45853: UDP, length 98
06:20:41.177728 IP (tos 0x0, ttl 113, id 5882, offset 0, flags [none], proto UDP (17), length 126) 60.53.86.102.26535 > 207.6.123.87.45853: UDP, length 98
06:20:41.317674 IP (tos 0x0, ttl 116, id 59410, offset 0, flags [none], proto UDP (17), length 90) 222.83.215.126.16001 > 207.6.123.87.45853: UDP, length 62
06:20:42.439868 IP (tos 0x0, ttl 64, id 1929, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.50541 > 75.154.133.100.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43)
06:20:42.498969 IP (tos 0x0, ttl 246, id 45275, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.100.domain > 207.6.123.87.50541: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain]
06:20:44.442275 IP (tos 0x0, ttl 64, id 1930, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.58444 > 75.154.133.68.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43)
06:20:44.488482 IP (tos 0x0, ttl 247, id 31714, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.68.domain > 207.6.123.87.58444: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain]
doesnt make any sense to me, i dont even know if any of that is game traffic
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

I just did a local packet sniff with Wireshark while I playing a game and the IPs of the users I was in game with sent me UDP packets on port 1234, thats it. PF changes the packet dest addr, that must be whats breaking it.

Also as I said in my first post, all I did with my old router was forward port 1234 and it game worked fine.
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

new pf.conf
Code:
ext1="nfe0"
int1="rl0"

pc1="10.0.0.2"
pc2="10.0.0.3"

# options
#set block-policy return
#set loginterface $ext1
set skip on lo

# scrub
#scrub in

# nat/rdr
nat on $ext1 from !($ext1) -> ($ext1:0)
#binat on $ext1 from $pc1 to any -> $ext1

rdr-anchor "miniupnpd"

rdr on $ext1 proto {tcp, udp} from any to any port 1:65535 -> $pc1

anchor "miniupnpd"

pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1:65535
game still doesn't work with just nat, still need to binat, seeing as how I am forwarding ALL ports it has to be PF amirite?
Reply With Quote
Old 2nd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Looking at the UDP traffic from tcpdump, you will see an IP address followed by the port number: xx.xx.xx.xx.yy

So, taking the first packet as an example: the source was 195.189.97.122, in the Ukraine, using source port #57944, and the destination was your IP address at Telus in British Columbia, destination port # 45853.

Taking the second packet as an example, it was from your IP at Telus to another IP at Telus. The destination port was "domain" -- port #53, used for DNS. I assume this is your local Domain Name Server at your ISP. The third packet was the reply.

and so on...

The reason I recommended the "host <remote server>" expression was to reduce your analysis to game traffic, assuming you can determine the address of the game server, or even the netblock it comes from. The host expression can use CIDR notation to capture entire subnets. e.g.: "host 192.168.0.0/8" would log only traffic from the entire 192.168.x.x network.
Quote:
...PF changes the packet dest addr...
Really? PF changes the packet destination address from 1234 to what? Your rule for UDP port 1234 (or any other rdr rule) does not show a destination change.

Show me.
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

dest addr (ip) not port
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

Quote:
Bidirectional Mapping (1:1 mapping)
A bidirectional mapping can be established by using the binat rule. A binat rule establishes a one to one mapping between an internal IP address and an external address. This can be useful, for example, to provide a web server on the internal network with its own external IP address. Connections from the Internet to the external address will be translated to the internal address and connections from the web server (such as DNS requests) will be translated to the external address. TCP and UDP ports are never modified with binat rules as they are with nat rules.

Example:

web_serv_int = "192.168.1.100"
web_serv_ext = "24.5.0.6"

binat on tl0 from $web_serv_int to any -> $web_serv_ext
TCP and UDP ports are never modified with binat rules as they are with nat rules.

Must be what makes the difference for my game working and not working eh?
Reply With Quote
Old 2nd February 2009
dextro dextro is offline
Port Guard
 
Join Date: Dec 2008
Posts: 21
Default

all this time all i had to do was add static-port to end of nat line

nat on $ext1 from !($ext1) -> ($ext1:0) static-port

everything on my lan now works great!
Reply With Quote
Old 2nd February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Glad you found the source of the trouble!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick