multi subnet in NAT can't ping each other

[cheath]

I have a NAT server (PF) and 2 nics, one (fxp0) is public ip, and the other (fxp1) is private ip.
I bind 3 private ip on fxp1, 172.16.69.254, 172.16.70.254 and 172.16.71.254.
Clients are divided into 2 subnet, 172.16.70.0/24 and 172.16.71.0/24.
Clients and NAT server all connect to the same switch (no vlan).
Now, these two subnet can connect internet via NAT server, but clients can't ping (connect) the others in another subnet.
How can I do to let clients ping clients in another subnet?
Thanx.

 

[SirDice]

Please post your /etc/rc.conf and /etc/pf.conf.

 

[cheath]

FreeBSD 8.1-R

[/etc/rc.conf]

defaultrouter="140.xx.yy.126"
gateway_enable="YES"
ifconfig_fxp0="inet 140.xx.yy.5  netmask 255.255.255.128"
ifconfig_fxp1="inet 172.16.69.254  netmask 255.255.255.0"
ifconfig_fxp1_alias0="inet 172.16.70.254  netmask 255.255.255.0"
ifconfig_fxp1_alias1="inet 172.16.71.254  netmask 255.255.255.0"
pf_enable="YES"
pflog_enable="YES"

[/etc/pf.conf]

ext_if="fxp0"
int_if="fxp1"
wan_net = "140.xx.yy.0/25"
set skip on lo
scrub in all
nat on $ext_if from 172.16.70.0/24 to any -> 163.30.69.5
nat on $ext_if from 172.16.71.0/24 to any -> 163.30.69.5

Thanks.

 

[mix_room]

http://www.freebsd.org/doc/handbook/network-routing.html

31.2.4 Building a Router

A network router is simply a system that forwards packets from one interface to another. Internet standards and good engineering practice prevent the FreeBSD Project from enabling this by default in FreeBSD. You can enable this feature by changing the following variable to YES in rc.conf(5):

gateway_enable="YES" # Set to YES if this host will be a gateway

This option will set the sysctl(8) variable net.inet.ip.forwarding to 1. If you should need to stop routing temporarily, you can reset this to 0 temporarily.

Your new router will need routes to know where to send the traffic. If your network is simple enough you can use static routes. FreeBSD also comes with the standard BSD routing daemon routed(8), which speaks RIP (both version 1 and version 2) and IRDP. Support for BGP v4, OSPF v2, and other sophisticated routing protocols is available with the net/zebra package. Commercial products such as GateD® are also available for more complex network routing solutions.

 

[SirDice]

gateway_enable is already on or those clients wouldn't be able to access the internet either.

 

[wblock@]

The NAT lines make no sense to me; what is 163.30.69.5?

Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping. Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.

 

[SirDice]

Run tcpdump(1) on the fxp0 interface and start pinging.

 

[cheath]

The NAT lines make no sense to me; what is 163.30.69.5?

Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping. Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.

sorry for copy and paste error. 163.30.69.5 should be replaced by ip bind on fxp0.
I use win2000 to ping win7. I ping clients on NAT server, too.
When I use win2000 to ping win7 in another subnet, no responds.
At the same time, I ping the same win7 client computer from NAT server, it responds.

I'll tcpdump it and post again, thanx.

 

[SirDice]

Have a look at netstat -rn too. Both networks should be accessable via fxp0.

You may also want to limit tcpdump to just show icmp:
# tcpdump -ni fxp0 icmp
Or just to/from a certain host:
# tcpdump -ni fxp0 icmp and host 172.16.70.12

 

[cheath]

Thanks wblock and SirDice.
I solved this problem.
It just win7 default only receives ping packet from the same subnet.
I edit firewall rules of win7 and it works fine.
Thanks a lot.