NAT/DNS question/recommendation?
I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Thanks, - Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
Tom Huppi wrote: I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Maybe you are searching for the wrong keywords. I simply haven't heard of anyone speak of a NAT client or NAT Server before. Secondly you haven't told us anything about how things are setup: Are you using ipfw, ipf or pf? What are your nat-rules? what are your filter rules? You are trying to automount what? nfs, smbfs? ssh delays? did you try to type in the ip to see if it was faster? I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
On Wed, 19 Jan 2005, Erik Norgaard wrote: Tom Huppi wrote: I have a FreeBSD 5.3 workstation connected to the net via user-ppp with a dynamic IP. I have user-ppp doing both NAT and simple firewall. I have a headless server box, also 5.3, set up as a NAT client. I run it only when I need the horsepower since it's loud and sucks power. My problem is that the NAT client acts funny. It makes the gateway/workstation box dial up when I attempt to automount from it for example. Also I've had troubles with ssh delays. I'm pretty sure that what is happening is that it wants to use DNS to resolve names sometime even though all that it needs _should_ be in the /etc/hosts file (and nsswitch.conf lists files first.) On the NAT client, I have my defaultrouter set to the NAT server's IP (in the 172.16 range.) Also I have my ISP's dns server in /etc/resolv.conf. I can't seem to make things work well any other way. Can someone recommend a better setup to aviod my problems, or suggest that I should _not_ be having these problems with this setup and that something else in my setup must be wrong? A long, long time ago, I set up a caching-only DNS server on a gateway box 'for the fun of it.' If there is not a simpler solution, I'll do it again (though the fun has worn off), but I thought I'de ask here first. BTW, I have done some research on this, but really didn't find that many specific details about NAT client configuration...possibly I just didn't look hard enough. Maybe you are searching for the wrong keywords. I simply haven't heard of anyone speak of a NAT client or NAT Server before. I mean one runs NAT, and the other uses it. I've searched various things and have run into subtle refernences which seem related to my problem (like 'gethostbyname' isn't even supposed to consult /etc/hosts), but nothing specific. Secondly you haven't told us anything about how things are setup: Are you using ipfw, ipf or pf? What are your nat-rules? what are your filter rules? I think I did mention that the firewall and NAT are as implemented in user-PPP. I could post my rule-set, but it would take a good bit of space. Clearly DNS requests from 'the-machine-using-NAT- but-not-running-it' are dialbound-accept (either that, or user-ppp's firewall is broken.) That is not to say I know these rules are correct, and in fact I had played around with this aspect of the rules earlier to try to aviod spurious dials associated with a windows 'machine-using-NAT', but unless there is a known mechanism associated with the rules which would cause the unhappiness I'm experiancing, it seems a waste of space. BTW, it does seem that when the user-ppp daemon is shut down completely, these delay's _don't_ exist, and the problem is similarly non-noticable when the connection is actually established (in spite of the fact that, obviously, my local hostnames are not known to the global internet.) If someone knows, for instance, that DNS requests from 'the-machine-not-running-NAT-but-using-it' will quickly and silently give up _or_ revert to files upon hitting a dialbound-blocked rule, I can certainly make it so. Obviously I don't want to block DNS requests from the 'machine-not-running-NAT'. You are trying to automount what? nfs, smbfs? NFS. (unix - unix) ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama - and I have tried various permutations of this on both machines (specifically, the additional 'name.dom.com.' entry which seems to exist on a CD installation
Re: NAT/DNS question/recommendation?
Tom Huppi wrote: I mean one runs NAT, and the other uses it. I've searched various things and have run into subtle refernences which seem related to my problem (like 'gethostbyname' isn't even supposed to consult /etc/hosts), but nothing specific. Yeah, I sort of guessed that, I was thinking that if you were googling then you should probably search for freebsd gateway ppp nat. The common lingo is that your NAT-server is a gateway/firewall and the NAT-client is a host. I think I did mention that the firewall and NAT are as implemented in user-PPP. I could post my rule-set, but it would take a good bit of space. Clearly DNS requests from 'the-machine-using-NAT- but-not-running-it' are dialbound-accept (either that, or user-ppp's firewall is broken.) That is not to say I know these rules are correct, and in fact I had played around with this aspect of the rules earlier to try to aviod spurious dials associated with a windows 'machine-using-NAT', but unless there is a known mechanism associated with the rules which would cause the unhappiness I'm experiancing, it seems a waste of space. OK, let me say first that since I have a permanent connection I haven't messed much with ppp, but this doesn't seem to be your problem. The soluitons I have heard of uses a setup where the pppd (what-ya-call-it) will call up the isp and start the firewall/nat. But fundamentally the firewall/nat is independent of the modem connection. So, what do you use for firewall/nat? ipfw/ipf/pf? I think I can help you with ipf, if you use something else then I'm sure someone can help you once they know they have the knowledge you need. While your filter rules might be long, the nat rules should be quite simple, and typically it's nat that causes problems, so please post that. ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. This is really important because this suggests that there is no problem with your resolv.conf or other named configuration files. I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) Ah, I see, dfrtr is default router? It shouldn't be the isp but the internal ip of your gw. Otherwise you might get some strange behaviour (which you seem to have). I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. Note that nis domain and dns domain is _not_ the same. Setting your default domain in rc.conf sets the nis default domain, and has absolutely nothing to do with dns. BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) Ok, sorry, I'm used to snort output, but good idea, try sniff and dump so you can see what happens in slow. So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama Typo or copy/paste error? One ip per line. In the above 172.16.0.20 becomes an alias for 172.16.0.8 (if it makes sense at all). Just knowing that someone has a similar setup and it works would be of significant help since it would tell me if there even is a solution. Else, and also very good would be to know that it's an intractable problem with the tools I use. I think that when you get to that point it's time to start clean and be systematic. Remove anything that might blur the picture, unneeded services and stuff. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT/DNS question/recommendation?
On Wed, 19 Jan 2005, Erik Norgaard wrote: Tom Huppi wrote: snip So, what do you use for firewall/nat? ipfw/ipf/pf? I think I can help you with ipf, if you use something else then I'm sure someone can help you once they know they have the knowledge you need. user-ppp has it's own firewall implementation which is separate from the above three mentioned. That's what I'm using. I'd have to use it anyway to get dial-bound rules, and its other capabilities are sufficient for my basic needs: ... # And outgoing icmp set filter out 14 permit 0 0 icmp ... # And the remote host can ping the local gateway (only) set filter in 10 permit 0/0 MYADDR icmp src eq 8 ... that sort of thing. While your filter rules might be long, the nat rules should be quite simple, and typically it's nat that causes problems, so please post that. You'r right. They are extreamly simple: nat enable yes (in ppp.conf) There is also an 'enable dns' entry which I may play around with some more. In fact, I'll have to if I...see last para... ssh delays? did you try to type in the ip to see if it was faster? Yup. No change. I should have mentioned that for sure. This is really important because this suggests that there is no problem with your resolv.conf or other named configuration files. I'm not using named...yet I think I get the picture of your network but sometimes it helps a lot if you scetch the network with a ascii-diagram, add ip's etc. - 172...20 ip-by-ppp | - 172...8 || | net - gw - srvr | | | info, u-ppp, dfrtr:isp's dns server porn, w/fw /etc/hosts: 8 srvr.made-up-dom srvr trash, w/nat. ...20 gw.made-up-dom gw etc.defrt set /e/nsswitch.conf: files dns by uppp. no ipv6ipv6 (and 4) Ah, I see, dfrtr is default router? It shouldn't be the isp but the internal ip of your gw. Otherwise you might get some strange behaviour (which you seem to have). Typo in the diagram. 'srvr's defaultrouter is ...20, and it's resolv.conf specifies my ISP's nameserver. My now long gone text was more accurate. I just realized that I am setting 'defaultdomain' in the server's /etc/rc.conf in spite of the fact that I'm not currently running NIS in my local network. I'll try getting rid of that to see if it helps. Note that nis domain and dns domain is _not_ the same. Setting your default domain in rc.conf sets the nis default domain, and has absolutely nothing to do with dns. Yes and possibly no. I believe that it can have an influence on how the system tries to resolve hostsnames (since Sun wanted like hell for people to use NIS for this purpose decades ago before security was a consideration...), but I doubt that it's the problem here. In fact, I can now say that it isn't. (nsswitch.conf man on some systems mentions this...dunno if the capability even exists on xBSD systems.) BTW, here's the salient part of a tcpdump on the tun0 interface when I ssh from 'gw' to 'srvr': 10:32:36.698042 IP gila.62914 king.dialoregon.net.domain: 63948+ PTR? 20.0.16.172.in-addr.arpa. (42) 10:32:36.990638 IP king.dialoregon.net.domain gila.62914: 63948 NXDomain 0/1/0 (119) Ok, sorry, I'm used to snort output, but good idea, try sniff and dump so you can see what happens in slow. What happens is, 'gila' (aka 'srvr') tries to do a reverse dns lookup and hangs until it times out or until it gets back a reply. 'non-existant domain' in this case. The funny thing is that once it gets even _this_ response it happily proceeds. I don't know what it _would_ be unhappy about...it makes the whole test seem rather pointless in addition to being frustrating from my standpoint. The interesting thing is, as I mentioned, when PPP is completely shut down the 'srvr' doesn't seem to even try this reverse DNS lookup silliness (or else maybe it just fails miserably and silently right away.) That makes me think that maybe there is some method of inducing PPP to lie to it's clients (for lack of a better term) about it's status when it is active but not on-line. So 'srvr' is looking up 'gw's IP when it _thinks_ there is access to a DNS server. That's what I thought. Question is, 'how to make it stop?' Here's my /etc/hosts: --- ::1 localhost localhost.huppih.com 127.0.0.1 localhost localhost.huppih.com 172.16.0.8 gila.huppih.com gila 172.16.0.20 agama.huppih.com agama Typo or copy/paste error? One ip per line. In the above 172.16.0.20 becomes an alias for 172.16.0.8 (if it makes sense at all). Yup, another typo...this time form re-formatting paragraphs. Just knowing that someone has a similar setup and it works would be of significant help since it would tell me if there even is a solution. Else, and also very good would be to know that it's an intractable problem with the tools I use. I think
