On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote:
> Hi there,
>
> I have strange problem with natd and ICMP 3.4 (destination unreachable/
> fragmentation needed) packets.
>
> Situation:
>
> - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured
> xl0 interface have public address 195.168.x.x
> xl1 interface is connected to our intranet with private addr 10.10.1.1
> ipfw show:
> 00100 0 0 allow ip from any to any via lo0
> ...
> 09200 0 0 divert 8668 ip from any to any via xl0
> 09300 0 0 allow ip from any to any
>
> natd is running with arguments: natd -n xl0
>
> - behind freebsd box is cisco router with GRE tunnel
>
>
> 195.168.x.x
> xl0 --------- xl1 10.10.1.0/24 (MTU 1500)
> -------| FreeBSD |------------------------------------------------------....
> --------- |
> ipfw +NAT |
> |
> | 10.10.1.2
> ----------
> | CISCO 1 |
> ----------
> ||
> ||
> || GRE tunnel (MTU 1476)
> ||
> ||
> ||
> ----------
> | CISCO 2 |
> ----------
> | 10.10.20.0/24 ----
> ---------------------------------| PC |
> ----
> 10.10.20.2
>
> Problem:
>
> If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet,
> natd on FreeBSD box aliases data inside ICMP packet, but not IP headers
> There is tcpdump on xl1 interface:
>
> 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to
>frag (mtu 1476)
>
> and on xl0 interface:
>
> 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to
>frag (mtu 1476)
> ^^^^^^^^^ ^^^^^^^^^^^
> Is this bug in natd or make I some mistake in configuration?
>
This is intentional.
: RCS file: /home/ncvs/src/lib/libalias/alias.c,v
: Working file: alias.c
: head: 1.29
: branch:
: locks: strict
: access list:
: keyword substitution: kv
: total revisions: 41; selected revisions: 1
: description:
: ----------------------------
: revision 1.23
: date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13
: Changed the way we handle outgoing ICMP error messages -- do
: not alias `ip_src' unless it comes from the host an original
: datagram that triggered this error message was destined for.
:
: PR: 20712
: Reviewed by: brian, Charles Mott <[EMAIL PROTECTED]>
: =============================================================================
I.e., the original IP datagram that caused this ICMP error message
was not destined for CISCO 1. (The original datagram's header should
be visible with tcpdump -vv).
Please see PR 20712 for details.
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
[EMAIL PROTECTED] Sunbay Software AG,
[EMAIL PROTECTED] FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
