# multi subnet in NAT can't ping each other



## cheath (Aug 31, 2010)

I have a NAT server (PF) and 2 nics, one (fxp0) is public ip, and the other (fxp1) is private ip.
I bind 3 private ip on fxp1, 172.16.69.254, 172.16.70.254 and 172.16.71.254.
Clients are divided into 2 subnet, 172.16.70.0/24 and 172.16.71.0/24.
Clients and NAT server all connect to the same switch (no vlan).
Now, these two subnet can connect internet via NAT server, but clients can't ping (connect) the others in another subnet.
How can I do to let clients ping clients in another subnet?
Thanx.


----------



## SirDice (Aug 31, 2010)

Please post your /etc/rc.conf and /etc/pf.conf.


----------



## cheath (Aug 31, 2010)

FreeBSD 8.1-R

[/etc/rc.conf]

```
defaultrouter="140.xx.yy.126"
gateway_enable="YES"
ifconfig_fxp0="inet 140.xx.yy.5  netmask 255.255.255.128"
ifconfig_fxp1="inet 172.16.69.254  netmask 255.255.255.0"
ifconfig_fxp1_alias0="inet 172.16.70.254  netmask 255.255.255.0"
ifconfig_fxp1_alias1="inet 172.16.71.254  netmask 255.255.255.0"
pf_enable="YES"
pflog_enable="YES"
```

[/etc/pf.conf]

```
ext_if="fxp0"
int_if="fxp1"
wan_net = "140.xx.yy.0/25"
set skip on lo
scrub in all
nat on $ext_if from 172.16.70.0/24 to any -> 163.30.69.5
nat on $ext_if from 172.16.71.0/24 to any -> 163.30.69.5
```
Thanks.


----------



## mix_room (Aug 31, 2010)

http://www.freebsd.org/doc/handbook/network-routing.html



			
				&quot said:
			
		

> 31.2.4 Building a Router
> 
> A network router is simply a system that forwards packets from one interface to another. Internet standards and good engineering practice prevent the FreeBSD Project from enabling this by default in FreeBSD. You can enable this feature by changing the following variable to YES in rc.conf(5):
> 
> ...


----------



## SirDice (Aug 31, 2010)

gateway_enable is already on or those clients wouldn't be able to access the internet either.


----------



## wblock@ (Aug 31, 2010)

The NAT lines make no sense to me; what is 163.30.69.5?

Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping.  Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.


----------



## SirDice (Aug 31, 2010)

Run tcpdump(1) on the fxp0 interface and start pinging.


----------



## cheath (Aug 31, 2010)

wblock said:
			
		

> The NAT lines make no sense to me; what is 163.30.69.5?
> 
> Also, you don't mention the OS used by the clients, or whether you've tried tests other than ping.  Some poorly-written OSes think ICMP packets are scary hacker tools, and firewall them.



sorry for copy and paste error. 163.30.69.5 should be replaced by ip bind on fxp0.
I use win2000 to ping win7. I ping clients on NAT server, too.
When I use win2000 to ping win7 in another subnet, no responds.
At the same time, I ping the same win7 client computer from NAT server, it responds.

I'll tcpdump it and post again, thanx.


----------



## SirDice (Aug 31, 2010)

Have a look at *netstat -rn* too. Both networks should be accessable via fxp0.

You may also want to limit tcpdump to just show icmp:
`# tcpdump -ni fxp0 icmp`
Or just to/from a certain host:
`# tcpdump -ni fxp0 icmp and host 172.16.70.12`


----------



## cheath (Sep 5, 2010)

Thanks wblock and SirDice.
I solved this problem.
It just win7 default only receives ping packet from the same subnet.
I edit firewall rules of win7 and it works fine.
Thanks a lot.


----------

