[plug] Weird problem with losing network responses

Andrew Furey simpware at yahoo.com
Thu Aug 23 15:32:04 WST 2001 

Hi folks,

Box A = public server (http://terminus.net.au for
those interested :), on same local (physical) network.
IP 203.25.143.1
Box B = gateway/firewall for internal office. IPs
203.25.143.250 / 192.168.0.254
Box C = standard client box behind gateway box B (it's
really a server, but the function is irrelevant). IP
192.168.0.20
Box D = another client (server) behind B on same
subnet as C. IP 192.168.0.1

Now, if I run tcpdump -n on box A (icmp results piped
through grep to increase S/N ratio), and ping box A
from box D, I get the following output (trimmed for a
few packets only):

203.25.143.250 > 203.25.143.1: icmp: echo request
203.25.143.1 > 203.25.143.250: icmp: echo reply
203.25.143.250 > 203.25.143.1: icmp: echo request
203.25.143.1 > 203.25.143.250: icmp: echo reply
203.25.143.250 > 203.25.143.1: icmp: redirect
   192.168.0.1 to host 192.168.0.1 [tos 0xd0]
203.25.143.250 > 203.25.143.1: icmp: echo request
203.25.143.1 > 203.25.143.250: icmp: echo reply

This is working correctly, the masquerading is
rewriting the packets from D so they appear to be
coming from B. It then rewrites the replies so that D
receives them properly. That all works fine :)

However, pinging from C yields this:

192.168.0.20 > 203.25.143.1: icmp: echo request
203.25.143.1 > 192.168.0.20: icmp: echo reply
192.168.0.20 > 203.25.143.1: icmp: echo request
203.25.143.1 > 192.168.0.20: icmp: echo reply
203.25.143.250 > 203.25.143.1: icmp: redirect
   192.168.0.20 to host 192.168.0.20 [tos 0xc0]
192.168.0.20 > 203.25.143.1: icmp: echo request
203.25.143.1 > 192.168.0.20: icmp: echo reply

As you can see, the public server is seeing the
private IP of box C. Hence it can't route the replies,
which is why C never receives any replies back from A
(or in fact the rest of the internet).

This would appear to be a problem with the
masquerading on B, but there is only one rule for it,
which masquerades the whole subnet. Hence it should
behave the same way for C and D. There are also no
firewall rules on any of the machines which would
interfere with this (as far as I can see).

If anyone has any clues, I'm all ears. I can post more
specific network details if required...

TIA
Andrew


_____________________________________________________________________________
http://shopping.yahoo.com.au - Father's Day Shopping
- Find the perfect gift for your Dad for Father's Day

More information about the plug mailing list