[Solved] multi subnet in NAT can't ping each other

cheath · #1 August 31st, 2010, 03:55

I have a NAT server (PF) and 2 nics, one (fxp0) is public ip, and the other (fxp1) is private ip.
I bind 3 private ip on fxp1, 172.16.69.254, 172.16.70.254 and 172.16.71.254.
Clients are divided into 2 subnet, 172.16.70.0/24 and 172.16.71.0/24.
Clients and NAT server all connect to the same switch (no vlan).
Now, these two subnet can connect internet via NAT server, but clients can't ping (connect) the others in another subnet.
How can I do to let clients ping clients in another subnet?
Thanx.

**SirDice** · #2 August 31st, 2010, 07:36

Please post your /etc/rc.conf and /etc/pf.conf.

cheath · #3 August 31st, 2010, 07:56

FreeBSD 8.1-R

[/etc/rc.conf]

Code:

defaultrouter="140.xx.yy.126"
gateway_enable="YES"
ifconfig_fxp0="inet 140.xx.yy.5  netmask 255.255.255.128"
ifconfig_fxp1="inet 172.16.69.254  netmask 255.255.255.0"
ifconfig_fxp1_alias0="inet 172.16.70.254  netmask 255.255.255.0"
ifconfig_fxp1_alias1="inet 172.16.71.254  netmask 255.255.255.0"
pf_enable="YES"
pflog_enable="YES"

[/etc/pf.conf]

Code:

ext_if="fxp0"
int_if="fxp1"
wan_net = "140.xx.yy.0/25"
set skip on lo
scrub in all
nat on $ext_if from 172.16.70.0/24 to any -> 163.30.69.5
nat on $ext_if from 172.16.71.0/24 to any -> 163.30.69.5

Thanks.

mix_room · #4 August 31st, 2010, 07:57

http://www.freebsd.org/doc/handbook/...k-routing.html

Quote:

Originally Posted by Handbook - 31.2.4 Building a Router

31.2.4 Building a Router

A network router is simply a system that forwards packets from one interface to another. Internet standards and good engineering practice prevent the FreeBSD Project from enabling this by default in FreeBSD. You can enable this feature by changing the following variable to YES in rc.conf(5):

gateway_enable="YES" # Set to YES if this host will be a gateway

This option will set the sysctl(8) variable net.inet.ip.forwarding to 1. If you should need to stop routing temporarily, you can reset this to 0 temporarily.

Your new router will need routes to know where to send the traffic. If your network is simple enough you can use static routes. FreeBSD also comes with the standard BSD routing daemon routed(8), which speaks RIP (both version 1 and version 2) and IRDP. Support for BGP v4, OSPF v2, and other sophisticated routing protocols is available with the net/zebra package. Commercial products such as GateD® are also available for more complex network routing solutions.

**SirDice** · #5 August 31st, 2010, 09:26

gateway_enable is already on or those clients wouldn't be able to access the internet either.

**wblock@** · #6 August 31st, 2010, 16:48

The NAT lines make no sense to me; what is 163.30.69.5?

Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping. Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.

**SirDice** · #7 August 31st, 2010, 16:55

Run tcpdump(1) on the fxp0 interface and start pinging.

cheath · #8 August 31st, 2010, 17:54

Quote:

Originally Posted by wblock

The NAT lines make no sense to me; what is 163.30.69.5?

Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping. Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.

sorry for copy and paste error. 163.30.69.5 should be replaced by ip bind on fxp0.
I use win2000 to ping win7. I ping clients on NAT server, too.
When I use win2000 to ping win7 in another subnet, no responds.
At the same time, I ping the same win7 client computer from NAT server, it responds.

I'll tcpdump it and post again, thanx.

**SirDice** · #9 August 31st, 2010, 21:02

Have a look at netstat -rn too. Both networks should be accessable via fxp0.

You may also want to limit tcpdump to just show icmp:
# tcpdump -ni fxp0 icmp
Or just to/from a certain host:
# tcpdump -ni fxp0 icmp and host 172.16.70.12

cheath · #10 September 5th, 2010, 04:41

Thanks wblock and SirDice.
I solved this problem.
It just win7 default only receives ping packet from the same subnet.
I edit firewall rules of win7 and it works fine.
Thanks a lot.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Multi domains with one nameserver	sihaam	Web & Network Services	3	August 5th, 2010 07:57
Multi-boot Problem	esemesm	Installing & Upgrading	4	July 1st, 2010 04:51
[Solved] Configure two NICs with same subnet	tetelee	Networking	2	May 4th, 2010 11:38
Multi-threaded BIND9?	cpeterson	General	1	April 28th, 2009 22:40
NAT: no NAT for local traffic	mgp	Networking	7	December 9th, 2008 22:27