Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat reflection and udp

    Scheduled Pinned Locked Moved NAT
    58 Posts 3 Posters 26.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      Rerun the commands that I mentioned earlier.  I have updated the file to cover the tcp case either way.

      I know for a fact that if other devs catch wind of this they are not going to like it.  I would have to agree with them, this should not be necessary.

      1 Reply Last reply Reply Quote 0
      • A
        aldo
        last edited by

        i see the issue scott

        make the udp case empty above the tcp case
        and fill in the tcp case but then look at your working cases in the rdr sections there is the issue
        i reran the commands but there is an error in the filter.inc on 389 or thereabouts now as well i fixed an if that was missing an I

        role it back scott i will work on it tomorrow i understand what youa re trying to achieve now and how you should do it using your method.
        i will have better resourses tomorrow i am at home at moment and is 1am

        i will send you the diffs tomorrow for your review

        1 Reply Last reply Reply Quote 0
        • A
          aldo
          last edited by

          ok i think you will be happy with the localhost rules but not so pleased with the nc inetd bits
          have a look and let me know

          it works perfectly and that was my goal

          filter.inc.txt

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Looks like you started with a dated filter.inc.

            Can you:

            #1 update your filter.inc and make the changes again
            #2 send a diff -u patch?  I need to also make these changes in -HEAD which this will assist with

            1 Reply Last reply Reply Quote 0
            • A
              aldo
              last edited by

              will do it tomorrow for you got it working on a 7-9-06 box.

              so will diff for you when i can

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                You need to include the most latest and greatest filter.inc.

                http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?only_with_tag=RELENG_1

                1 Reply Last reply Reply Quote 0
                • A
                  aldo
                  last edited by

                  synced my dev build just now and rebuilt diff attached

                  diff2-filter.inc.txt

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Thanks, I've commited a slightly different version.

                    $rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.

                    1 Reply Last reply Reply Quote 0
                    • A
                      aldo
                      last edited by

                      ok will test this case for you
                      thanks for wasting all that time scott i know what to do next time

                      1 Reply Last reply Reply Quote 0
                      • A
                        aldo
                        last edited by

                        THE BAD NEWS ON REFLECTION

                        ##########################
                        TEST WITH SCOTTS COMMITED  FILTER.INC
                        ##########################

                        #######
                        TEST1
                        udp rule
                        ########

                        NAT Inbound Redirects

                        rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

                        NAT Reflection rules

                        pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

                        ##########
                        TEST 2
                        tcp rules
                        ##########

                        NAT Inbound Redirects

                        rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

                        NAT Reflection rules

                        pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

                        ############
                        TEST3
                        tcp - udp rule
                        ############

                        NAT Inbound Redirects

                        rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

                        NAT Reflection rules

                        pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
                        pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                        #############################

                        TEST WITH ALANS  FILTER.INC using the variable in the udp case

                        ############################

                        #######
                        TEST1
                        udp rule
                        ########

                        NAT Inbound Redirects

                        rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

                        NAT Reflection rules

                        pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

                        ##########

                        TEST 2
                        tcp rules
                        ##########

                        NAT Inbound Redirects

                        rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

                        NAT Reflection rules

                        pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

                        ############
                        TEST3
                        tcp - udp rule
                        ############

                        NAT Inbound Redirects

                        rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

                        Reflection redirects

                        rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

                        NAT Reflection rules

                        pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
                        pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

                        Inetd conf
                        19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                        conculsion it just does not work the way you want it to.
                        ports are not lining up right tcp/udp should use two nc ports and not one.
                        i think you should remove the feature or really look hard at it.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          I will just remove.  I am really tired of reflection.

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

                            1 Reply Last reply Reply Quote 0
                            • A
                              aldo
                              last edited by

                              will check it out again i am getting a little tired of this one now but if you want me to work on it i will
                              let you knwo soon

                              1 Reply Last reply Reply Quote 0
                              • A
                                aldo
                                last edited by

                                OK i made three rules 1 udp only 1 tcp only and one tcp/udp

                                19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                                19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                                19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                                19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                                NAT Inbound Redirects

                                rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

                                Reflection redirects

                                rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

                                rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

                                Reflection redirects

                                rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

                                rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

                                Reflection redirects

                                rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
                                rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

                                the rdr rules and the streams reconcile fine. but the localhost rules are messed up

                                NAT Reflection rules

                                pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
                                pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                                pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
                                pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

                                as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  Alrighty, thanks.  I just commited a fix for this.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    aldo
                                    last edited by

                                    ok will test this now. thanks scott your a hard worker. ::)

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      aldo
                                      last edited by

                                      NAT Reflection rules

                                      pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
                                      pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                                      pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
                                      pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

                                      the below is same for rdrs and inetd streams

                                      rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
                                      rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
                                      rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
                                      rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

                                      19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                                      19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                                      19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                                      19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          aldo
                                          last edited by

                                          less /var/etc/inetd.conf

                                          18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                                          19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                                          19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                                          19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                                          NAT Inbound Redirects

                                          rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
                                          rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
                                          rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
                                          rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

                                          NAT Reflection rules

                                          pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
                                          pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                                          pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
                                          pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

                                          very close now

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sullrich
                                            last edited by

                                            Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.