Patrik Lahti
|
Re: bi-directional nat mapping
|
Patrik Lahti
04/23/2010 9:46 AM
post52514
|
Re: bi-directional nat mapping
Hi,
I haven't really played much with pf in NAT configurations but as I
understand the binat rule, it is a one-to-one mapping between the two
addresses. I.e. any packet sent from the public side to the public
address (141.121.195.16 in your case) will be mapped to the internal
address (192.168.0.1 in your case) and the reverse. So you cannot have
other internal addresses (like 192.168.0.2 in your case) also share the
public address (141.121.195.16 in your case).
When you think about it, this makes a lot of sense. When a packet from
the public side addressed to the public address arrives at the node with
the binat rule, it needs to translate the destination address to an
internal address, but to which internal address? As you have written
your rule, your ping packets' destination address 141.121.195.16 will
get translated to the 192.168.0.1 address and be processed by that
interface, the binat rule cannot magically know that sometimes you
intended to ping 192.168.0.2 on the internal network.
If you meant to say that on the public side you are pinging to the
private address 192.168.0.2 and expecting that to be sent to the
141.121.195.16 and get binat'ed, then that's just wrong. The problem is,
it's a private address, so their meaning is ambiguous on the public
side. It is only for use inside the private network. Usually those
packets go into the big black hole, and if not, they probably aren't
going where you intended...
I'm guessing that what you probably want to do is use a regular NAT and
maybe port forwarding to make some internal nodes reachable on some
ports of the external address.
Hope this helps,
/P
On 22/04/10 04:48 PM, gary anderson wrote:
> I have a system with multiple processors running QNX. One processor has a public network connection. This processor
also has a private network connection to the other processors (implemented via PCIe shared memory). My private network
devices have addresses in the 192.168.*.* space.
>
> I can ping between all the computers on the private side just fine.
>
> Now I want to use bi-directional NAT to allow computers on the public side to connect to servers running in the
private side processors. I've started the packet filter with the command 'mount -Tio-pkt lsm-pf-v4.so' and loaded the
packet config' file using the command 'pfctl -f pf.conf -e'. My pf.conf file contains
>
> binat on wm0 from 192.168.0.1 to any -> 141.121.195.16
>
> where 141.121.195.16 is the IP address of the public side and 192.168.0.1 is the IP address of the PCIe shared memory
device.
>
> A second computer on the private side has an IP address of 192.168.0.2. I would expect to be able to ping from this
second computer another computer on the public side but it doesn't work. Also, I would expect to be able to ping the
private computer from the public side by pinging 141.121.195.17 but this doesn't work either.
>
> What's wrong with my pf.conf entry?
>
>
>
> _______________________________________________
>
> Networking Drivers
> http://community.qnx.com/sf/go/post52425
>
>
|
|
|
gary anderson
|
Re: bi-directional nat mapping
|
gary anderson
04/23/2010 10:18 AM
post52525
|
Re: bi-directional nat mapping
If possible I'd like the processor with the single ethernet connection support multiple IP addresses -- one for itself
and then have the others forwarded to the processors on the private network (essentially a NAT router).
|
|
|