Trouble setting up NAT with ipfilter

Hello All :
I'm trying to setup a Sunfire V120 as a NAT box but am running into some odd behavior that I can't seem to resolve, I'm hoping someone here can shed some light on the problem.
My V120 has two NICs eri0 and eri1 and is running Solaris 10, Release 08/07. I have configured eri0 as my public interface and eri1 as my private interface.
I turned on packet forwarding :
routeadm -u -e ipv4-forwardingI also added the following to /etc/ipf/ipnat.conf:
map eri0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map eri0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map eri0 192.168.0.0/24 -> 0/32ipfilter is running:
online         10:26:33 svc:/network/ipfilter:default From another system inside my private network, I can ping machines on the private network and on the public network. However, I cannot ssh to other external addresses, ftp, and DNS does not resolve, but I am able to ping the addresses of the public DNS servers just as I am able to ping any other public and private address.
Thanks in advance for any help one can provide.

I also added the following to /etc/ipf/ipnat.conf:
map eri0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map eri0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map eri0 192.168.0.0/24 -> 0/32Maybe it should be 192.168.0.0/16 or just "map eri0 0/0 .. "? Otherwise OK
Thanks in advance for any help one can provide.Check:
# /usr/sbin/ipfstat
# /usr/sbin/ipfstat -nih
# /usr/sbin/ipfstat -noh
Should list status and your inbound and outbound rule sets respectively.
# /usr/sbin/ipnat -l
Should list your NAT rules and active dynamic entries
# less +F /var/adm/messages
(or where you send local0 syslog (if you log))
# /usr/sbin/snoop -rd eri0
# /usr/sbin/snoop -rd eri1
Should show briefely what's on the wire-side of ipf. Run both in two windows and compare and look for leaks of internal addresses on the outside and missed packets.
P�l

Similar Messages

  • Is anyone else having trouble setting up messages with the new mountain lion software? I keep getting a notification that i cant sign in and it is saying, check network connection and try again, but i have full wifi bars, thanks, Justin

    is anyone else having trouble setting up messages with the new mountain lion software? I keep getting a notification that i cant sign in and it is saying, check network connection and try again, but i have full wifi bars, thanks, Justin

    Install this to get X11 functionality back in 10.8
    http://xquartz.macosforge.org/landing/
    Worked great for me and others.
    Jerry

  • Trouble setting up X with FreeBSD 7.1 on my Thinkpad T60 1951-FCG

    Hi! 
    I'm having some trouble setting up X on my Thinkpad T60 1951-FCG running FreeBSD 7.1. When I run whatever config, either the one I get from X -configure or one edited after my settings, all I get is a black screen. The screen is a tad bit lighter than when my laptop is powered off though. This effectivly locks my laptop up -- the only way I can get out of the "black screen of death" is to SSH in and kill the process, which then turns my monitor into this: http://folk.ntnu.no/sigurdhj/laptop_fail.jpg. The only way I can get back to a normal screen is by rebooting. If I try to start X through SSH, I get prompted with the message: Failed to load DMI info, X60 TV quirk not applied.
    I've given the 'vesa' driver a go aswell, with that I can get a picture at least, but still loads of error messages. My monitor works perfectly with Windows XP, Ubuntu, and PC-BSD -- which leads me to believe that my monitor is fine, and that it's just a matter of configuring it right.
    After the read of 'man intel' I'm thinking it could be something with the setting LVDSFixedMode, but the information about that was just too advanced for me to make anything of. I've included my xorg.conf.new file aswell as the Xorg.0.log file.
    Hope there is someone out there bored enough to help me sort this out.
    (xorg.conf: http://folk.ntnu.no/sigurdhj/xorg.conf.new.txt )
    (Xorg.0.log: http://folk.ntnu.no/sigurdhj/Xorg_0_log.txt )
    Cheers,
    Kladd

    If you check the info on the AirPort Utility 5.6.1 download page, this application is for Leopard and Snow Leopard....10.5.7 to 10.6.8
    It will not run on Lion
    Instead, you need to download and install AirPort Utility 5.6 for Mac OS X Lion

  • Having trouble setting up Mail with a POP account

    I am trying to set up Mail with my Universities webmail service, and according to their tech page I need to set it to POP. I also made sure that I have the incoming and outgoing mail servers correct, and i've made certain that I am entering my username and password correctly. But when it loads and trys to get my mail it says that the password I supplied is incorrect, but I know that's not true. I am absolutley sure that both the username and password are entered correctly.
    Does anybody know how I might fix this?
    p.s. my girlfriend is having the exact same problem, so it isn't just me entering something wrong

    I know you said the usernames/passwords are correct but, (if you can), login via webmail using those same strings, see if that works.
    Write the text to a note and copy and paste from there so you are sure you've not input something wrongly.
    Failing that do a quick keychain first aid too.
    If that don't work then I'm out of ideas, (for now at least).

  • Having trouble setting up headset with microphone

    Hi,
    I own a satellite A135 that is currently running on Windows Vista Home Edition. I tried using a headset with mic but somehow the mic always turns to mute after I've exited the set-up page. I'm starting to get frustrated, particularly since I need to talk with someone using Skype. Please help.
    Thanks

    I have this issue, too. Did you find a solution since you first posted?

  • Having trouble setting up router with verizon modem

    im trying to set up my linksys router wrt54gs with my verizon dsl modemr.  im having a hard time.

    Try these steps :
    Access the setup page of the router by launching an
    Browser and type on the address bar, 192.168.1.1 and press enter. When
    it prompts for the username and password, leave the username field
    empty and provide password as "admin" (Without quotes)
    click on ok.
    On the main setup page the ""Internet Connection Type"" should be
    on ""Obtain IP Automatically - DHCP “. Click on the Save Settings
    button.
    Now click on the sub tab ""MAC address clone"".
    - Click on enable
    Click Clone & click save settings
    Check WAN Ip on Status page of router ....
    If getting Valid Ip .... try going online
    If you are getting Ip - 192.168.1.X ...change the LAN Ip to 192.168.2.1 ....Power cycle for 3-4 minutes ...
    Try going online
    If still not working ...use Internet Connection type as PPPOE .... Use Username & Password provided by Service Provider ....
    Click save settings....
    Look for WAN IP address again under status page ....
    Hope it works for you....

  • Having trouble setting up sonos with my airport extreme

    After setting up the airport extreme I can no longer access my wireless sonos speakers. The bridge is connected to the airport and that's fine but it won't recognize the wireless speakers. I think it is probably a config issue. On my old router I could set up a channel for sonos to use but can't seem to find how to do this on the airport or if it is possible? Anyone have any ideas? or are familiar with Sonos? Thanks

    I have this issue, too. Did you find a solution since you first posted?

  • Having trouble setting up e-mail on new iPhone 4s. I would like to sync with my outlook mail, contacts

    I am having trouble setting up my email and syncing my outlook calendar wiht my new iphone 4s.

    How do you connect to the internet?
    Most of the time, the problem lies here. You can try a couple of things. First, try only 3G or carrier data. Then, try only wifi. If that still doesn't work, your only other option is to try a different hotspot.
    I had the same problem before when I updated to iOS 4.3. I thought it was the update at first. I usually have the carrier data turned off because my plan doesn't have an unlimited provision for it. I forgot that I also switched ISPs from DSL to a visibility unit package - meaning I had to setup my laptop so that I could get wifi from it. I realized this when I visited a friends house that I knew I could connect properly before.
    My problem was with my laptop. It seems that Little Snitch blocks the ports being used for mail and push notifications. I haven't figured it out exactly since I still can't get email when I'm using my laptop connection. But, it works fine when I'm using ONLY 3G or both/wifi only if connected to a different hotspot.
    Hope that helps.

  • Having trouble setting up a linksys WRT54GS router with v...

    Having trouble setting up a linksys WRT54GS router with verizon DSL using a westell 6100F modem. the modem works fine by its self  but the router will not connect  to the internet when installed like the cd tells you to.
    online help and phone help has been less than helpful,  anyone have any Ideas?

    Ok I found " Installing the liksys wireless router with a westell 6100 modem" in the verizon troubleshooting guides. printed the instructions so I would'nt forget. step 1 open your web browser and enter http://192.168.1.1 in the address field.  PROBLEM it comes up with a login screen that I don't know how to sign into. tried the obvious stuff. cannot get past the login screen. I knew this sounded to easy to be true. anyone have any ideas? 

  • Setting my NAT for use with XBOX 360

    I am having an issue with playing with certain friends on xbox live where their NAT is usually Moderate. Mine seems to fluctuate randomly between Open and Moderate and our connections always seem much better when they are both Moderate (they are the limiting factor, I think it's their ISP). I would like to know how to set the Time capsule so I can set my NAT to Moderate when I play with these folks and back to open other times. I know how to go into the 360 network settings and then I go into manual network setup, but I don't know the numbers to type in, and I also don't know how to connect to the time capsule's setting page. Is that on the web or is that a preference page on the mac somewhere. I haven't been able to find anything online on how to set the NAT to moderate, as I understand OPEN is generally better in most circumstances, any help would be much appreciated.

    The TC can be used in bridge mode plugged into the router.
    Yes, I should have been more clear. When you turn NAT "off", the TC will be in Bridge Mode. But, only one device will be able to connect to the Internet in this setting. If that device is the Xbox, fine.....but other users might not be pleased about this if they want to connect to the Internet as well.
    I think LaPastenagure nailed it when he noted that Apple products do not appear on the list of Xbox compatible devices.
    Xbox LIVE Compatible Hardware - Xbox.com

  • Having trouble setting up my website. It's probably a silly mistake.

    So I've registered a domain and hosting plan with A Simple Orange which had a pretty good deal since I had a coupon for 20% off. I've tried using Joomla to manage my website, but I couldn't get the hang of it. So I'm trying out iWeb 09' now and just having trouble setting it up. I've gone to me.com and added my website and added the CNAME correctly I hope. Here is a picture. http://imgur.com/XI8Lw.png
    Next I opened iWeb and setup MobileMe in the preferences panel. I've tried publishing the information from iWeb to my website, but my home page doesn't change. You can see here at RyanSchefer.com that it's just plan

    No. Your CNAME setting is not correct. The CNAME and web.me.com are correct with web.me.com being your host. However, your domain name is incorrect - don't understand why you have put mobileme before it? You just enter either your domain name on its own so domain.com or you need to set up two separate CNAME entries, one being for www, CNAME, web.me.com and then one being @, CNAME, web.me.com. The @ stands for your domain name and the www is your sub domain.
    Try altering this and it should work okay.

  • Having trouble setting up email accounts in the mail app?

    Hi Apple community,
         I am having trouble setting up my email accounts with the osX mail application. I have two accounts, an outlook and my college email through google. When I try to add the outlook account the prompt says that it cannot connect to the server and when I try my college mail i get the following prompt.
    "Trying to log in to the Exchange server “autodiscover-s.outlook.com” failed. Make sure the email address and password you entered are correct, then click Continue."
    Please note that my college account is run by gmail and ends in murraystate.edu
    Thanks, Will.

    Hey will,
    okay for your college email. Heres what you do.
    Try adding your email and wait for the message to come up
    Trying to log in to the Exchange server “autodiscover-s.outlook.com” failed. Make sure the email address and password you entered are correct, then click Continue."
    Once it does, you will notice 2 extra boxes One says username and the other password. You will notice that the username will not have @murraystate.edu
    Add this and continue and this should now be added as an email account and should be able to receive emails as normal.
    For your outlook emails, I would recommend using the following article to set it up. It is fairly straightforward.
    http://howto.cnet.com/8301-11310_39-57602775-285/how-to-set-up-mac-mail-to-use-i map-for-outlook.com/
    Hope that helps.

  • Having trouble setting up FaceTime.   keep giving me Apple ID password

    having trouble setting up FaceTime.  trouble at verifying use I'd.  I have my email setup with different password since I have tw setup email.   my Apple ID has different password.   same email name.

    Hello sangjaimepark,
    Thank you for the details of the issue you are experiencing with activating FaceTime.  I recommend reviewing the article below for FaceTime activation issues.  When trying to activate FaceTime, you will need to use the email address you use for your Apple ID and your Apple ID password and not your email password:
    iOS: Troubleshooting FaceTime and iMessage activation
    http://support.apple.com/kb/ts4268
    Thank you for using Apple Support Communities.
    Best,
    Sheila M.

  • Having trouble setting up network

    Hi guys,
    I just recently moved to a new house and am having trouble setting up the network with my airport extreme. There is a cable modem that is networked to the house so that every room has an outlet.
    I connected the airport to one of the outlets with my macbook and when I create network, I cannot connect to the internet wirelessly even though the macbook detects a network when I set it up with bridge mode. But hard wired through the router I can surf the web as I am doing right now.
    When I hit share an IP address, the internet does not work at all. It seems to work fine with my old netgear router, but would prefer using the airport.
    I've also reset the airport as well with still no luck. Any help would be appreciated. Thanks

    Have you tried powering down the modem for 5 min and then turning on with the ethernet connected to the WAN port of airport extreme?

  • [Solved] 1:1 nat with iptables

    I've got a host with 2 qemu virtual machines in it. They're set up bridged with a tap interface so they both have their own ip address and are accessible from the outside.
    Their ips are:
    VM1: 10.1.0.10
    VM2: 10.1.0.11
    Netmask for both: 255.255.255.0
    Now I am trying to add iptables rules to the host machine to nat both virtual machines to subnet 172.16.0.0/24. I use the following rules for this.
    iptables -P FORWARD DROP
    iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT
    iptables -A FORWARD -d 10.1.0.0/24 -j ACCEPT
    iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT
    iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.0.10 -j SNAT --to 172.16.0.10
    iptables -t nat -A POSTROUTING -s 10.1.0.11 -j SNAT --to 172.16.0.11
    The host machine has 3 interfaces.
    Eth0 which is the external interface connected to the internet
    Tap0 which is the tap interface for the first VM
    Tap1 which is the tap interface for the second VM
    These are all added to a bridge called br0 that has the external connection set up.
    When I try to ping google from inside VM1, I see this going through tap0.
    10113.790379 10.1.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
    10113.834219 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1
    And this through eth0.
    10348.090665 172.16.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
    10348.134424 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1
    So apparently the source nat is properly happening when the dns request for google goes out but then the response doesn't know where to find 172.16.0.10.
    Does anyone know how to solve this? Perhaps through virtual interfaces? If possible, I would like to handle this on the host OS without tinkering with the VM's internal network settings.
    Last edited by Metallion (2011-03-30 06:58:41)

    iptables -nvL
    Chain INPUT (policy ACCEPT 367 packets, 38976 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * * 10.1.0.0/24 0.0.0.0/0
    0 0 ACCEPT all -- * * 172.16.0.0/24 0.0.0.0/0
    Chain FORWARD (policy DROP 209 packets, 60314 bytes)
    pkts bytes target prot opt in out source destination
    445 125K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
    0 0 ACCEPT all -- * * 10.1.0.0/24 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 10.1.0.0/24
    196 53522 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    Chain OUTPUT (policy ACCEPT 163 packets, 24684 bytes)
    pkts bytes target prot opt in out source destination
    iptables -t nat -nvL
    Chain PREROUTING (policy ACCEPT 4221 packets, 822K bytes)
    pkts bytes target prot opt in out source destination
    4 336 DNAT all -- * * 0.0.0.0/0 172.16.0.10 to:10.1.0.10
    Chain OUTPUT (policy ACCEPT 114 packets, 8403 bytes)
    pkts bytes target prot opt in out source destination
    Chain POSTROUTING (policy ACCEPT 193 packets, 33094 bytes)
    pkts bytes target prot opt in out source destination
    0 0 SNAT all -- * * 10.1.0.10 0.0.0.0/0 to:172.16.0.10
    As you can see, I've set up logging for all the forwarded packets. The outgoing ones are showing up in the log but incoming ones are not.  I tried setting up logging for the prerouting chain too but they still don't show up. Seems like they just aren't dnatted at all. Very strange since their destination clearly is 172.16.0.10.
    Here are the relevant parts of the logs in case it helps. This is what shows when making a dns request for www.google.com
    Mar 25 17:15:18 hanra kernel: [1886767.666360] IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=10.1.0.10 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14428 DF PROTO=UDP SPT=38635 DPT=53 LEN=40
    Mar 25 17:15:18 hanra kernel: [1886767.666395] IN= OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=10.1.0.10 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14428 DF PROTO=UDP SPT=38635 DPT=53 LEN=40
    In tshark it looks like this:
    For eth0:
    19649.108081 172.16.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
    19649.153407 8.8.8.8 -> 172.16.0.10 DNS Standard query response CNAME www.l.google.com A 74.125.235.82 A 74.125.235.80 A 74.125.235.84 A 74.125.235.83 A 74.125.235.81
    For tap0
    19414.807637 10.1.0.10 -> 8.8.8.8 DNS Standard query A www.google.com
    Response arrives on eth0 but isn't dnatted to tap0.
    Last edited by Metallion (2011-03-25 08:25:36)

Maybe you are looking for