Hi,

I haven't really played much with pf in NAT configurations but as I 
understand the binat rule, it is a one-to-one mapping between the two 
addresses. I.e. any packet sent from the public side to the public 
address (141.121.195.16 in your case) will be mapped to the internal 
address (192.168.0.1 in your case) and the reverse. So you cannot have 
other internal addresses (like 192.168.0.2 in your case) also share the 
public address (141.121.195.16 in your case).

When you think about it, this makes a lot of sense. When a packet from 
the public side addressed to the public address arrives at the node with 
the binat rule, it needs to translate the destination address to an 
internal address, but to which internal address? As you have written 
your rule, your ping packets' destination address 141.121.195.16 will 
get translated to the 192.168.0.1 address and be processed by that 
interface, the binat rule cannot magically know that sometimes you 
intended to ping 192.168.0.2 on the internal network.

If you meant to say that on the public side you are pinging to the 
private address 192.168.0.2 and expecting that to be sent to the 
141.121.195.16 and get binat'ed, then that's just wrong. The problem is, 
it's a private address, so their meaning is ambiguous on the public 
side. It is only for use inside the private network. Usually those 
packets go into the big black hole, and if not, they probably aren't 
going where you intended...

I'm guessing that what you probably want to do is use a regular NAT and 
maybe port forwarding to make some internal nodes reachable on some 
ports of the external address.

Hope this helps,
/P


On 22/04/10 04:48 PM, gary anderson wrote:
> I have a system with multiple processors running QNX.  One processor has a public network connection.  This processor 
also has a private network connection to the other processors (implemented via PCIe shared memory).  My private network 
devices have addresses in the 192.168.*.* space.
>
> I can ping between all the computers on the private side just fine.
>
> Now I want to use bi-directional NAT to allow computers on the public side to connect to servers running in the 
private side processors.  I've started the packet filter with the command 'mount -Tio-pkt lsm-pf-v4.so' and loaded the 
packet config' file using the command 'pfctl -f pf.conf -e'.  My pf.conf file contains
>
>      binat on wm0 from 192.168.0.1 to any ->  141.121.195.16
>
> where 141.121.195.16 is the IP address of the public side and 192.168.0.1 is the IP address of the PCIe shared memory 
device.
>
> A second computer on the private side has an IP address of 192.168.0.2.  I would expect to be able to ping from this 
second computer another computer on the public side but it doesn't work.  Also, I would expect to be able to ping the 
private computer from the public side by pinging 141.121.195.17 but this doesn't work either.
>
> What's wrong with my pf.conf entry?
>
>
>
> _______________________________________________
>
> Networking Drivers
> http://community.qnx.com/sf/go/post52425
>
>    

If possible I'd like the processor with the single ethernet connection support multiple IP addresses -- one for itself 
and then have the others forwarded to the processors on the private network (essentially a NAT router).