Not sure which Solaris version you are using but this works fine for
me. Perhaps I am missing something - do you have any other NAT rules
or just this one?
-bash-3.00# ifconfig -a
e1000g0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu
1500 index 2
inet 10.0.206.1 netmask ffff0000 broadcast 10.0.255.255
ether 0:14:4f:8b:e4:8c
-bash-3.00# ifconfig e1000g0:1 plumb 10.0.206.222/16 router up
-bash-3.00# ifconfig -a
e1000g0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu
1500 index 2
inet 10.0.206.1 netmask ffff0000 broadcast 10.0.255.255
ether 0:14:4f:8b:e4:8c
e1000g0:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4>
mtu 1500 index 2
inet 10.0.206.222 netmask ffff0000 broadcast 10.0.255.255
-bash-3.00# ipnat -l
List of active MAP/Redirect filters:
rdr e1000g0 from any to any port = 3891 -> 10.0.206.222 port 389 tcp
telnet from another machine to 10.0.206.1:3891 and then to
10.0.206.222:3891. Connection refused is returned, as expected. See
below that the sessions get created.
-bash-3.00# ipnat -l
List of active MAP/Redirect filters:
rdr e1000g0 from any to any port = 3891 -> 10.0.206.222 port 389 tcp
List of active sessions:
RDR 10.0.206.222 389 <- -> 10.0.206.1 3891 [10.0.4.211 49229]
-bash-3.00# ipnat -l
List of active MAP/Redirect filters:
rdr e1000g0 from any to any port = 3891 -> 10.0.206.222 port 389 tcp
List of active sessions:
RDR 10.0.206.222 389 <- -> 10.0.206.222 3891 [10.0.4.211 57172]
RDR 10.0.206.222 389 <- -> 10.0.206.1 3891 [10.0.4.211 49229]
You said that even session entries are not being created for you? Can
you send the output of 'ipnat -l'? Don't mind my asking, but is IP
filter enabled and is it running?
- Ashwani
On Thu, May 14, 2009 at 5:00 PM, Terry Dawson
<[email protected]> wrote:
>
> Ashwani said:
>> I am not sure I understand - so you are trying to connect to
>> IP-of-ce0:1/port-3891 and you see that packets are swallowed?
>
> Yes, that is correct.
>
>> I have personally never redirected traffic on a physical interface to
>> a loopback interface so I am not sure if it works, but that might be
>> causing this issue.
>
> Redirects to loopback work just fine. If we set the rule up for the
> physical
> interface it works fine. It is the virtual interface I'm having trouble
> with.
>
>> Does your LDAP server only listen on the loopback IP? If you can make
>> your LDAP server listen on the logical IP address (of ce0:1) then the
>> following rule should work without affecting any other traffic:
>>
>> rdr ce0 from any to any port = 3891 -> <IP of ce0:1> port 389 tcp
>
> The LDAP server listens on all interfaces. I've tried your suggestion,
> it appears to be behave the same way.
>
> Terry
>
>
>
>
>
