Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat reflection and udp

    Scheduled Pinned Locked Moved NAT
    58 Posts 3 Posters 26.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      I will just remove.  I am really tired of reflection.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

        1 Reply Last reply Reply Quote 0
        • A
          aldo
          last edited by

          will check it out again i am getting a little tired of this one now but if you want me to work on it i will
          let you knwo soon

          1 Reply Last reply Reply Quote 0
          • A
            aldo
            last edited by

            OK i made three rules 1 udp only 1 tcp only and one tcp/udp

            19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
            19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
            19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
            19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

            NAT Inbound Redirects

            rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

            Reflection redirects

            rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

            rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

            Reflection redirects

            rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

            rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

            Reflection redirects

            rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
            rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

            the rdr rules and the streams reconcile fine. but the localhost rules are messed up

            NAT Reflection rules

            pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

            as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Alrighty, thanks.  I just commited a fix for this.

              1 Reply Last reply Reply Quote 0
              • A
                aldo
                last edited by

                ok will test this now. thanks scott your a hard worker. ::)

                1 Reply Last reply Reply Quote 0
                • A
                  aldo
                  last edited by

                  NAT Reflection rules

                  pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
                  pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                  pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
                  pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

                  the below is same for rdrs and inetd streams

                  rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
                  rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
                  rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
                  rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

                  19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                  19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                  19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                  19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

                    1 Reply Last reply Reply Quote 0
                    • A
                      aldo
                      last edited by

                      less /var/etc/inetd.conf

                      18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                      19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                      19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                      19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                      NAT Inbound Redirects

                      rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
                      rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
                      rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
                      rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

                      NAT Reflection rules

                      pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
                      pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                      pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
                      pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

                      very close now

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

                        1 Reply Last reply Reply Quote 0
                        • A
                          aldo
                          last edited by

                          ok works but only change the first instance to 19000 leave the second one at 18999

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            Woops.  Please test my latest filter.inc:

                            http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.