NAT Helpers?

NAT Helpers?

[James Stickland]

	My problem with this network setup is that when the terminal server 
attempts to join the domain, or do such things as browse all the network 
shares (as opposed to typing in their ip address), it attempts 
connections to the 10.10.10.7 broadcast address.  The problem lies 
within the router  - it does not forward broadcasts.  With netfilter, 
are there any nat helpers I can use  for forwarding  broadcasts between 
interfaces? Im looking for something similar to the  cisco ip nat helpers.

If such things exist for netfilter, could someone also please provide 
examples?  Thanks

Re: NAT Helpers?

[/dev/rob0]

On Saturday 2005-September-10 00:05, James Stickland wrote:
> My problem with this network setup is that when the terminal server

With WHAT network setup? I saw no information about a network.

> attempts to join the domain, or do such things as browse all the
> network shares (as opposed to typing in their ip address), it
> attempts connections to the 10.10.10.7 broadcast address.  The
> problem lies within the router  - it does not forward broadcasts.

Why not? A broadcast is just another IP. This is sometimes true but not 
always true. It might depend on your rules. A clear explanation of the 
issue helps in finding a resolution.

> With netfilter, are there any nat helpers I can use  for forwarding 
> broadcasts between interfaces? Im looking for something similar to
> the  cisco ip nat helpers.

Apparently no one knows. I've been fortunate to avoid Cisco routers, 
myself, so I don't know what they do with broadcasts. (I bet few Cisco 
admins would know, either!)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: NAT Helpers?

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of /dev/rob0
> Sent: Sunday, September 11, 2005 8:09 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: NAT Helpers?
> 
> On Saturday 2005-September-10 00:05, James Stickland wrote:
> > My problem with this network setup is that when the terminal server
> 
> With WHAT network setup? I saw no information about a network.
> 
> > attempts to join the domain, or do such things as browse all the 
> > network shares (as opposed to typing in their ip address), 
> it attempts 
> > connections to the 10.10.10.7 broadcast address.  The problem lies 
> > within the router  - it does not forward broadcasts.
> 
> Why not? A broadcast is just another IP. This is sometimes 
> true but not always true. It might depend on your rules. A 
> clear explanation of the issue helps in finding a resolution.

I actually tried once to get DHCP to broadcast across two subnets with
no success (I allowed the ports to be forwarded, didn't block 0.0.0.0 or
255.255.255.255, etc.). Of course DHCP uses 0.0.0.0 and 255.255.255.255
so that may be a special case. But usually broadcast addresses are
defined within a subnet (like 10.0.0.255) and so I would think they
wouldn't be routed outside the subnet by design.

Just my thoughts - or maybe I misunderstood this part of the issue.

Derick Anderson

RE: NAT Helpers?

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




isn't the key to this "solution" a bridge?  I mean afterall you are trying 
to join two seperate braodcast domains and the best way to do that is with 
a bridge, or am I missing something here?




Thanks,

Ron DuFresne

On Mon, 12 Sep 2005, Derick Anderson wrote:

>
>
>> -----Original Message-----
>> From: netfilter-bounces@lists.netfilter.org
>> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of /dev/rob0
>> Sent: Sunday, September 11, 2005 8:09 AM
>> To: netfilter@lists.netfilter.org
>> Subject: Re: NAT Helpers?
>>
>> On Saturday 2005-September-10 00:05, James Stickland wrote:
>>> My problem with this network setup is that when the terminal server
>>
>> With WHAT network setup? I saw no information about a network.
>>
>>> attempts to join the domain, or do such things as browse all the
>>> network shares (as opposed to typing in their ip address),
>> it attempts
>>> connections to the 10.10.10.7 broadcast address.  The problem lies
>>> within the router  - it does not forward broadcasts.
>>
>> Why not? A broadcast is just another IP. This is sometimes
>> true but not always true. It might depend on your rules. A
>> clear explanation of the issue helps in finding a resolution.
>
> I actually tried once to get DHCP to broadcast across two subnets with
> no success (I allowed the ports to be forwarded, didn't block 0.0.0.0 or
> 255.255.255.255, etc.). Of course DHCP uses 0.0.0.0 and 255.255.255.255
> so that may be a special case. But usually broadcast addresses are
> defined within a subnet (like 10.0.0.255) and so I would think they
> wouldn't be routed outside the subnet by design.
>
> Just my thoughts - or maybe I misunderstood this part of the issue.
>
> Derick Anderson
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDJdVZst+vzJSwZikRAm4zAJwOTuX1VS9sHnhFCcqRI1zAhihAiQCgx26d
mY5ZZ/8SmdnXRUJ+awLcPW4=
=FBgM
-----END PGP SIGNATURE-----

Re: NAT Helpers?

[Frans Luteijn]

Some time ago, I had a similar question. Someone came with a little
program
called udp-proxy.
(See
http://lists.netfilter.org/pipermail/netfilter/2004-December/057580.html)

Search in Google for udpproxy and udprelay.

For dhcp-relay use the program dhcrelay, compiled from the dhcp-source
and
included in most distributions.

R. DuFresne schreef:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> isn't the key to this "solution" a bridge?  I mean afterall you are trying
> to join two seperate braodcast domains and the best way to do that is with
> a bridge, or am I missing something here?
>
> Thanks,
>
> Ron DuFresne
>
> On Mon, 12 Sep 2005, Derick Anderson wrote:
>
> >
> >
> >> -----Original Message-----
> >> From: netfilter-bounces@lists.netfilter.org
> >> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of /dev/rob0
> >> Sent: Sunday, September 11, 2005 8:09 AM
> >> To: netfilter@lists.netfilter.org
> >> Subject: Re: NAT Helpers?
> >>
> >> On Saturday 2005-September-10 00:05, James Stickland wrote:
> >>> My problem with this network setup is that when the terminal server
> >>
> >> With WHAT network setup? I saw no information about a network.
> >>
> >>> attempts to join the domain, or do such things as browse all the
> >>> network shares (as opposed to typing in their ip address),
> >> it attempts
> >>> connections to the 10.10.10.7 broadcast address.  The problem lies
> >>> within the router  - it does not forward broadcasts.
> >>
> >> Why not? A broadcast is just another IP. This is sometimes
> >> true but not always true. It might depend on your rules. A
> >> clear explanation of the issue helps in finding a resolution.
> >
> > I actually tried once to get DHCP to broadcast across two subnets with
> > no success (I allowed the ports to be forwarded, didn't block 0.0.0.0 or
> > 255.255.255.255, etc.). Of course DHCP uses 0.0.0.0 and 255.255.255.255
> > so that may be a special case. But usually broadcast addresses are
> > defined within a subnet (like 10.0.0.255) and so I would think they
> > wouldn't be routed outside the subnet by design.
> >
> > Just my thoughts - or maybe I misunderstood this part of the issue.
> >
> > Derick Anderson
> >
> >
>
> - --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>          admin & senior security consultant:  sysinfo.com
>                          http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
>                  -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFDJdVZst+vzJSwZikRAm4zAJwOTuX1VS9sHnhFCcqRI1zAhihAiQCgx26d
> mY5ZZ/8SmdnXRUJ+awLcPW4=
> =FBgM
> -----END PGP SIGNATURE-----



--
Frans Luteijn
PGP PblKey fprnt=C4 87 CE AF BC B6 98 C1  EF 42 A1 9A E2 C0 42 5B
GPG PblKey fprnt=ED20 0F25 C233 DC59 3FFA  170E D0BF 15F5 0BA6 1355