ICMP Packets go to only one side

F

Fireball

Hello,

There is FreeBSD 7.4 server with 3 ethernet cards: fxp0, fxp1, age0 and two routers: D-Link DI-704P and ASUS Mobile WiMAX/Wi-Fi Center, with two different static external IP addresses. In attachment you can find network scheme.

At first, task was connect two ineternet channels and realize load-balancing between them. But, when I assembled all, I find out that server didn't work like gateway. In local network internet is not accessible. From local PC's all, that are located in outside of the age0 interface, is not accessible, except 192.168.1.2 and 192.168.2.2, but NOT 192.168.1.1 and 192.168.2.1 (LAN's of routers).

Thereby, now problem is to assemble gateway on the basis of FreeBSD 7.4. I temprorary not use fxp1 for simplify task and work with one internet channel but in LAN any internet addresses not accessible. I made tcpdump of fxp0 and age0 interfaces when ping -t 8.8.8.8 was running on Windows machine from 169.254.107.0/24. I found out that ICMP requests captured on age0 then they forward to fxp0 and go throuht NAT, address of src suscessfully modify and then go to router D-Link. I also used instead of D-Link router one of Windows machines with Wireshark and tried capture packets (IP address of this Windows machine I set to 192.168.1.1 like D-Link). Packets successfully was captured with right headers, so NAT working on FreeBSD. Tcpdump on fxp0 capture ICMP requests and ICMP replies. But on age0 tcpdump capture ONLY ICMP requests and packets don't reach from fxp0->age0 backwards!

This looks like NAT modify IP addresses only in one side. But I try pf+nat and ipfw+natd - the results is same. Server don't work with reverse forwarding. Firewall on Windows machine is turned off. From server I can ping any computer in LAN and Internet. Packets is lost inside server but how to find out where?

And I rebuilt kernel and world at last summer From FreeBSD 6.2->7.2->7.4 maybe this fact will helpful. Kernel options in attachment

Configs:
rc.conf

Code: 
# -- sysinstall generated deltas -- # Wed Oct 10 09:30:33 2007
# Created: Wed Oct 10 09:30:33 2007
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
usbd_enable="YES"
sshd_enable="YES"

#old conf
#ifconfig_age0="169.254.107.8/24"
#ifconfig_fxp0="169.254.107.8/24"
#ifconfig_fxp1="192.168.2.2/24"
#defaultrouter="169.254.107.1"

#new config
gateway_enable="YES"
#pf_rules="/etc/pf.conf"
ifconfig_age0="169.254.107.8/24"
ifconfig_fxp0="192.168.1.2/24"
ifconfig_fxp1="192.168.2.2/24"
defaultrouter="192.168.1.1"

#forward_sourceroute="YES"
#natd_enable="YES"
#natd_flags="-f /etc/natd.conf"
#pflog_enable="YES"

#encodinG
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
keymap="ru.koi8-r"
scrnmap="koi8-r2cp866"

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

slapd_enable="YES"
slapd_flags=' -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldaps://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"


clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
clamsmtpd_enable="YES"

postfix_enable="YES"
dovecot_enable="YES"

samba_enable="YES"
smbd_enable="YES"
nmbd_enable="YES"
winbindd_enable="YES"
hostname="server.company.ru"
dhcpd_enable="YES"
snmpd_enable="YES"
pf_enable="YES"
#nut_enable="YES"
named_enable="YES"
proftpd_enable="YES"
postgresql_enable="YES"
postgresql_data="/usr/local/pgsql/data"
postgresql_flags="-w -s -m fast"
postgrey_enable="YES"
# added by xorg-libraries port
local_startup="/usr/local/etc/rc.d"
healthd_enable="YES"
httpd_enable="YES"
rinetd_enable="YES"
apache_enable="YES"
munin_node_enable="YES"
openvpn_enable="YES"


#natd_enable="YES"
#natd_interface="fxp0"
#natd_flags=""
   
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"

# netstat -rn
Code: 
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS         0     1010   fxp0
127.0.0.1          127.0.0.1          UH          0     1266    lo0
169.254.106.0/24   169.254.106.2      UGS         0        0   tun0
169.254.106.2      169.254.106.1      UH          1        0   tun0
169.254.107.0/24   link#1             UC          0        0   age0
169.254.107.8      00:1b:fc:b9:5d:e4  UHLW        1      198    lo0
169.254.107.34     00:18:8b:7f:83:d3  UHLW        1        4   age0   1200
169.254.107.78     50:e5:49:3e:ad:61  UHLW        1     2362   age0   1197
169.254.107.79     50:e5:49:3e:ad:7c  UHLW        1       12   age0   1048
169.254.107.255    ff:ff:ff:ff:ff:ff  UHLWb       1       65   age0
192.168.1.0/24     link#2             UC          0        0   fxp0
192.168.1.1        00:17:9a:f6:34:5d  UHLW        2        1   fxp0    961
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWb       1       65   fxp0
192.168.2.0/24     link#3             UC          0        0   fxp1
192.168.2.255      ff:ff:ff:ff:ff:ff  UHLWb       1       65   fxp1

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#5                        UHL         lo0
ff01:5::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0

# ifconfig

Code: 
age0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO>
   ether 00:1b:fc:b9:5d:e4
   inet 169.254.107.8 netmask 0xffffff00 broadcast 169.254.107.255
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether 00:02:a5:43:7b:fe
   inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether 00:02:a5:43:7b:ff
   inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
   inet6 ::1 prefixlen 128
   inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   inet 169.254.106.1 --> 169.254.106.2 netmask 0xffffffff
   Opened by PID 1283

pf.conf
Code: 
#for NAT
nat  on fxp0 from 169.254.107.0/24 to any -> 192.168.1.2/32
nat  on fxp1 from 169.254.107.0/24 to any -> fxp1
 

Attachments

  • network.JPG
    network.JPG
    35.9 KB · Views: 303
  • GENERIC.txt
    GENERIC.txt
    14.5 KB · Views: 202
Thanks! It works! I modified 169.254.107/24 to 192.168.0/24 for LAN and packets wonderfully became to go between interfaces!

And change the pf.conf:
Code:
nat on fxp0 from any to any -> (fxp0)
Click to expand...

Why not
Code: 
nat on fxp0 from 192.168.0.0/24 to any -> (fxp0)
nat on fxp1 from 192.168.0.0/24 to any -> (fxp1)
?

Now internet is working from LAN! But on server NetBIOS-names resolve to old IP LAN adresses 169.254.107.0/24 :( I modified and restarted dhcp.conf, smb.conf.

Code: 
# nmblookup A0600010001
querying A0600010001 on 192.168.0.255
querying A0600010001 on 192.168.1.255
[B]192.168.0.79[/B] A0600010001<00>
# ping A0600010001
PING A0600010001.kim-sh.ru ([B]169.254.107.34[/B]): 56 data bytes
 
Ping uses DNS hostnames, it doesn't care about netbios names.
 
Did you perhaps add it to your /etc/hosts file? Or do you use a DNS server?
 
I use DNS server and I've modified file of zones and restart server, but changes didn't take any effects.
 
There's something missing in your configuration or your registrar is not delegating your zone kim-sh.ru to your DNS servers properly:

Code: 
# dig A0600010001.kim-sh.ru

; <<>> DiG 9.8.1-P1 <<>> A0600010001.kim-sh.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;A0600010001.kim-sh.ru.         IN      A

;; Query time: 0 msec
;; SERVER: 10.71.13.1#53(10.71.13.1)
;; WHEN: Fri Feb 10 13:38:38 2012
;; MSG SIZE  rcvd: 39
 
Fireball said:
I use DNS server and I've modified file of zones and restart server, but changes didn't take any effects.
Click to expand...

Did you update the zone's serial number?
 
Maybe this fact can help to solve problem. Before changing IP of LAN, I installed samba 3.4, because previous version of samba refuse to work.
 
kpa said:
There's something missing in your configuration or your registrar is not delegating your zone kim-sh.ru to your DNS servers properly:

Code: 
# dig A0600010001.kim-sh.ru

; <<>> DiG 9.8.1-P1 <<>> A0600010001.kim-sh.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22386
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;A0600010001.kim-sh.ru.         IN      A

;; Query time: 0 msec
;; SERVER: 10.71.13.1#53(10.71.13.1)
;; WHEN: Fri Feb 10 13:38:38 2012
;; MSG SIZE  rcvd: 39
Click to expand...

Names like A0600010001.kim-sh.ru can't be accessible from the outside! Only from the local network.

I control subzone webmail.kim-sh.ru of domain kim-sh.ru, but actually our company owns the domain kim-sh.ru and all mail goes to surname@kim-sh.ru, not surname@webmail.kim-sh.ru,

If I try the command nmblookup A0600010001 then I get the proper IP address, but pinging by name doesn't work :( I tried to rndc trace and reconfigured named.conf, but this didn't give results and I returned named.conf. Then I tried to delete wins.dat from /var/db/samba34 and reloaded named. This also didn't give any result. But when I return wins.dat and named.conf ping cannot resolve name to any IP!

Code: 
ping A0600010001
ping: cannot resolve A0600010001: Unknown host

cat /etc/namedb/named.conf
Code: 
options {
	directory	"/etc/namedb";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";


	listen-on	{ 127.0.0.1; 192.168.0.1; };

};

zone "." {
	type hint;
	file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
	type master;
	file "master/localhost.rev";
};

// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
	type master;
	file "master/localhost-v6.rev";
};

zone "0.168.192.in-addr.arpa" {
	type master;
	file "master/ina";
	allow-update { 192.168.0.1; };
};
zone "kim-sh.ru" {
	type master;
	file "master/kim-sh.ru";
	allow-update { 192.168.0.1; };
};

master/ina
Code: 
$ORIGIN .
$TTL 3600	; 1 hour
0.168.192.in-addr.arpa IN SOA	server.kim-sh.ru. root.server.kim-sh.ru. (
				2012021001 ; serial
				3600       ; refresh (1 hour)
				900        ; retry (15 minutes)
				3600000    ; expire (5 weeks 6 days 16 hours)
				3600       ; minimum (1 hour)
				)
			NS	server.kim-sh.ru.
$ORIGIN 0.168.192.in-addr.arpa.
*			PTR	host.kim-sh.ru.

master/kim-sh.ru
Code: 
$ORIGIN .
$TTL 3600	; 1 hour
kim-sh.ru		IN SOA	server.kim-sh.ru. root.server.kim-sh.ru. (
				2012021002 ; serial
				3600       ; refresh (1 hour)
				900        ; retry (15 minutes)
				3600000    ; expire (5 weeks 6 days 16 hours)
				3600       ; minimum (1 hour)
				)
			NS	server.kim-sh.ru.
$ORIGIN kim-sh.ru.
server			A	192.168.0.1
@			A	91.197.8.212
www			A	91.197.8.212
domino-srv		A	192.168.0.250
ftp			A	213.248.47.47
 
Problem had solved by editing file /etc/nsswitch.conf. I had added "wins" to first place of string hosts.

Thank you.
 
You must log in or register to reply here.
Back
Top