Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat reflection and udp

    Scheduled Pinned Locked Moved NAT
    58 Posts 3 Posters 25.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aldo
      last edited by

      thats how i thought it would work i was wondering where the config was for the streams the at least i could get it right and test udp and see if it works.
      i use udp streams using inetd like ideas in linux and it works fine.

      what file are the streams stored in i guess a netstat will tell me what is running???

      1 Reply Last reply Reply Quote 0
      • A
        aldo
        last edited by

        @aldo:

        i know there have been some conversations about this in the last while i just hope someone can conclude it for me.

        on rc2 box when nat reflection is enabled it sends lan to 127.0.0.1 udp 8001
        the other half though 127.0.0.1 tcp 8001 to opt1 server

        I just cant find exactly where this commit was made to cvs.

        lok forward to the reply

        well it seems to be physically possible to do this with udp as well. would you like me to bug track this or will u just remove udp support.
        sorry the code is a little hard for me to flow through php is not really a strong suit of mine.

        tested streaming udp through inetd seems to be ok though.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Please try the latest snapshot.

          1 Reply Last reply Reply Quote 0
          • A
            aldo
            last edited by

            scott there has been no changes made since the 07/09/06 snapthat i used where is the code change in relation to this.
            unless i have missed something in the cvstrac

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Yes, you have missed some items in cvstrac. Please test the latest version.

              1 Reply Last reply Reply Quote 0
              • A
                aldo
                last edited by

                ok i will check the cvstrac for the items u mention and test it then thanks

                1 Reply Last reply Reply Quote 0
                • A
                  aldo
                  last edited by

                  @aldo:

                  ok upgraded to snapshot 07-09

                  rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006  this line looks fine
                  pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problem

                  these rules are not 100% as they are from memory but the problem is correct.

                  where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
                  i guess this is also wrong as i have added a rule to my user defined rules like so with no success.

                  pass in on lan on protocol udp from any to 127.0.0.1:19006

                  I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
                  can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.

                  the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
                  some time in my own world. but with little sucess as i am lost in the loopback address routing.

                  regards

                  alan

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Grmbl.  At this point we should just disable UDP and add this to the FAQ.  Reflection was a mistake from the git-go.  Since the sponsor of the feature decided to eat and run then its really left us in a awkward position to be happy about fixing this pile of crap.

                    1 Reply Last reply Reply Quote 0
                    • A
                      aldo
                      last edited by

                      i empathise with you anyway scott give me a few tips and i can look at it i just need to know how the inetd is called i am presently guessing it is being called at command line for each reflection as i can't find a .conf for it anywhere

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        Look in /var/etc/inetd.conf

                        1 Reply Last reply Reply Quote 0
                        • A
                          aldo
                          last edited by

                          gotyou

                          /etc/inc/filter.inc
                          ok line 844 has a case for udp that is empty
                          there is another one a little lower than that.

                          i am still looking for the rest of it.

                          how much was the bounty for this scott can we afford to pay it was it a big one

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            @aldo:

                            gotyou

                            /etc/inc/filter.inc
                            ok line 844 has a case for udp that is empty
                            there is another one a little lower than that.

                            The same code handles tcp and udp.  This is normal for case type statements.

                            @aldo:

                            i am still looking for the rest of it.

                            how much was the bounty for this scott can we afford to pay it was it a big one

                            $1500

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258

                              1 Reply Last reply Reply Quote 0
                              • A
                                aldo
                                last edited by

                                ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow

                                1 Reply Last reply Reply Quote 0
                                • A
                                  aldo
                                  last edited by

                                  sorted it looks impossible with the nc bit on the end.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    aldo
                                    last edited by

                                    think i have it scott

                                    19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161

                                    this nc needs a -u option to get udp

                                    as per

                                    http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9

                                    the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp

                                    pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      aldo
                                      last edited by

                                      line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
                                      change this to
                                      fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");

                                      the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means

                                      line 1891   $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
                                      change this to
                                      $ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";

                                      hope it helps  alan

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        Please issue these commands to test:

                                        fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
                                        /etc/rc.filter_configure

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          aldo
                                          last edited by

                                          switch($rule['protocol']) {
                                                                                                                  case "tcp/udp":
                                                                                                                          $protocol = "{ tcp udp }";
                                                                                                                          $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
                                                                                                                          $ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
                                                                                                                          break;
                                                                                                                  case "tcp":
                                                                                                                  case "udp":
                                                                                                                          $protocol = $rule['protocol'];
                                                                                                                          $ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
                                                                                                                          break;
                                                                                                                  default:
                                                                                                                          break;
                                                                                                          }

                                          **You need to add the case for tcp otherwise tcp get udp case set

                                          the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
                                                                                                                  case "tcp":
                                                                                                                          $protocol = $rule['protocol'];
                                                                                                                          $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
                                                                                                                          break**;

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sullrich
                                            last edited by

                                            There is no break, it automatically hits the next case.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.