pfSense Gold Subscription

Author Topic: NAT Reflection for UDP  (Read 4469 times)

0 Members and 1 Guest are viewing this topic.

Offline Plexus

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
NAT Reflection for UDP
« on: February 17, 2012, 07:08:11 am »
hey guys...

please let me know, how much one would have to spend to make this feature working properly?
the workaround with the split-dns is not working, having different servers running on several pcs in the lan.

thxīnīgreetz,
plex
« Last Edit: February 17, 2012, 03:29:59 pm by Plexus »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #1 on: February 20, 2012, 02:23:09 pm »
Not sure what it might take, but we do already install the NAT redirects and setup the netcat processes to accept the inbound traffic, not sure where it's going astray, but it hasn't ever worked that I'm aware of.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Efonne

  • Hero Member
  • *****
  • Posts: 630
  • Karma: +0/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #2 on: February 21, 2012, 05:22:40 am »
For the existing reflection implementation for port forwards, I don't really know for sure what is breaking it for UDP.

You could test the 1:1 NAT reflection to see if that works, as it is possible to implement the same rules for port forwards.  For this test, on System: Advanced: Firewall/NAT, enable "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from." (that really needs a shorter descriptive name to the left...).  Create a 1:1 NAT rule on LAN with some IP address for external IP other than your WAN IP or one on your LAN (it can be anything for this test, even just some made up IP, as long as it isn't one of those).  You could do a rule for testing your whole LAN or just one IP, just whatever you want to for the test.  Try locally accessing your UDP services through the appropriate "external IP" for the server you want to test (depending on how you configured the 1:1 rule) and report back on the results.  The 1:1 NAT reflection code can be used for port forwards as well, but the code for using it as such is not there yet.  If the test succeeds, that implementation would work for your UDP port forwards if/when completed.

If you want to pay something to get this done, whatever you think would be fair (fair to you or to me) would be fine with me.  I'll probably finish it sometime anyway, but I might be more willing to do it sooner rather than later if someone was going to pay something for it, and I'd be more willing to do the work to make a package to retrofit it onto 2.0.1.

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1495
  • Karma: +2/-1
    • View Profile
Re: NAT Reflection for UDP
« Reply #3 on: February 21, 2012, 10:31:02 am »
Sounds nice Erik!!

I would be willing to contribute to that.
Kind regards Brian


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #4 on: February 22, 2012, 01:42:29 pm »
Something tells me the fix isn't this easy, but it's worth a shot. While researching another problem I noticed that our inetd.conf had the udp entries using nowait, and inet.conf(8) says that dgram servers should always specify wait.

https://github.com/bsdperimeter/pfsense/commit/3a12bcc49b6ae8e7f283149a5f6dd423ce62a05c

Give that fix a try and see if it works for you.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #5 on: February 23, 2012, 05:17:00 pm »
Have you considered using socat (http://www.dest-unreach.org/socat/) instead of nc/netcat ?

It seems to work with UDP, according to this post.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #6 on: February 23, 2012, 07:27:37 pm »
I looked into socat at some point, and I don't remember why I passed it over. I'd have to look again to remember why.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
  • Karma: +0/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #7 on: February 24, 2012, 12:46:14 pm »
I had used socat successfully for this type of work in the past, but only under Linux.

Based on some googl-ing I did yesterday, it seems to work fine for people under *BSD as well.

Offline Plexus

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: NAT Reflection for UDP
« Reply #8 on: March 14, 2012, 07:34:38 pm »
Something tells me the fix isn't this easy, but it's worth a shot. While researching another problem I noticed that our inetd.conf had the udp entries using nowait, and inet.conf(8) says that dgram servers should always specify wait.

https://github.com/bsdperimeter/pfsense/commit/3a12bcc49b6ae8e7f283149a5f6dd423ce62a05c

Give that fix a try and see if it works for you.


sry for my late reply but suddenly I was snowed under with work. Some days ago I tried your workaround but unfortunately it didn't fix the error. I expect to be finished with my assignment within 4 weeks and after gettiing paid I expect to have some cash making this issue a bit more palatable for you to fix...

Offline Supermule

  • Hero Member
  • *****
  • Posts: 1495
  • Karma: +2/-1
    • View Profile
Kind regards Brian