Hello everyone
I migrated recently from 9-Release to 10.0-Release and started having problems with IPNAT. I moved IPF/IPNAT/MPD5 configuration files with the only change of changing tun0 to ng0 in ipnat.rules
I have a PPPoE WAN connection handled by MPD5 (ng0 interface). NAT mapping is as follows:
Where 192.168.100.0 is my LAN.
To illustrate the problem I run
192.168.100.128 is the address looking into LAN.
If I don't bind 192.168.100.128 explicitly, every invocation of wget works fine. If I bind 192.168.100.128, connection fails intermittently approximately half of the time.
Looking at
Obviously, all machines on the LAN suffer from the same problem.
When I try to use
I tried specifying
I tried removing all rules from IPF just to make sure and it makes no difference.
I would be extremely grateful for any advice.
/max
I migrated recently from 9-Release to 10.0-Release and started having problems with IPNAT. I moved IPF/IPNAT/MPD5 configuration files with the only change of changing tun0 to ng0 in ipnat.rules
I have a PPPoE WAN connection handled by MPD5 (ng0 interface). NAT mapping is as follows:
Code:
map ng0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp
map ng0 192.168.100.0/24 -> 0/32 portmap tcp/udp 30000:50000
map ng0 192.168.100.0/24 -> 0/32
To illustrate the problem I run
wget
on the same machine (gw):
Code:
[muxx@gw ~]$ wget -O /dev/null --bind-address=192.168.100.128 http://www.ej.ru/index.html
converted 'http://www.ej.ru/index.html' (US-ASCII) -> 'http://www.ej.ru/index.html' (UTF-8)
--2015-03-04 20:58:28-- http://www.ej.ru/index.html
Resolving www.ej.ru (www.ej.ru)... 87.239.187.242
Connecting to www.ej.ru (www.ej.ru)|87.239.187.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 548 [text/html]
Saving to: '/dev/null'
/dev/null 100%[=============================================================================>] 548 --.-KB/s in 0s
2015-03-04 20:58:29 (36.1 MB/s) - '/dev/null' saved [548/548]
[muxx@gw ~]$ wget -O /dev/null --bind-address=192.168.100.128 http://www.ej.ru/index.html
converted 'http://www.ej.ru/index.html' (US-ASCII) -> 'http://www.ej.ru/index.html' (UTF-8)
--2015-03-04 20:58:30-- http://www.ej.ru/index.html
Resolving www.ej.ru (www.ej.ru)... 87.239.187.242
Connecting to www.ej.ru (www.ej.ru)|87.239.187.242|:80... failed: Network is unreachable.
If I don't bind 192.168.100.128 explicitly, every invocation of wget works fine. If I bind 192.168.100.128, connection fails intermittently approximately half of the time.
Looking at
ipmon -a
output I can see that for the failing attempt the "NAT:NEW-MAP" doesn't appear. Only "STATE:NEW" followed by "STATE:EXPIRE" after a while.Obviously, all machines on the LAN suffer from the same problem.
When I try to use
tinyproxy
(bound to the ng0 interface for outgoing connections), and use it from the LAN, everything works. So it does look like I have misconfigured IPNAT somehow or there's some kind of incompatibility or bug (!?).I tried specifying
mssclamp
option in mapping rules, no difference.I tried removing all rules from IPF just to make sure and it makes no difference.
I would be extremely grateful for any advice.
/max