On Thu, 27 May 2004, Manuel Kasper wrote:
> On 27.05.2004 09:07 -0400, nicolas bussieres wrote:
> > have several pc's connected to a m0n0wall and we are using network
> > management tools , but when 2 users on different pcs try to ping
> > the same external ip address (126.96.36.199 , which is yahoo for
> > exemple) , only one get get a responce , and it take a long while
> > after he stops for the other to start pinging
> > is there a solutions ?
> No. That's because ICMP doesn't use port numbers, and as such when
> the reply from 188.8.131.52 comes in, ipnat doesn't know which LAN
> host to send it to. Some NAT implementations try to be clever about
> this, but ipnat (which is used in m0n0wall) isn't. I don't think this
> is a big restriction, though... There are no such problems with TCP
> or UDP.
Although ICMP doesn't use "port numbers", the request and reply forms have
a 16-bit "ID", which is conceptually more or less equivalent to the
TCP/UDP originating port number, and should be treated as such by NAT
(including possibly remapping it to avoid conflicts). Any NAT
implementation that doesn't do this is broken.
ICMP *errors* have no ID, but should be demultiplexed on the basis of the
embedded IP header from the associated *outgoing* packet.