[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] multiple ping problems
 Date:  Thu, 27 May 2004 19:54:41 -0700 (PDT)
On Thu, 27 May 2004, Manuel Kasper wrote:
> On 27.05.2004 09:07 -0400, nicolas bussieres wrote:
> >  have several pc's connected to a m0n0wall and we are using network
> > management tools , but when 2 users on different pcs try to ping
> > the same external ip address ( , which is yahoo for
> > exemple) , only one get get a responce , and it take a long while
> > after he stops for the other to start pinging
> > 
> > is there a solutions ?
> No. That's because ICMP doesn't use port numbers, and as such when
> the reply from comes in, ipnat doesn't know which LAN
> host to send it to. Some NAT implementations try to be clever about
> this, but ipnat (which is used in m0n0wall) isn't. I don't think this
> is a big restriction, though... There are no such problems with TCP
> or UDP.

Although ICMP doesn't use "port numbers", the request and reply forms have
a 16-bit "ID", which is conceptually more or less equivalent to the
TCP/UDP originating port number, and should be treated as such by NAT
(including possibly remapping it to avoid conflicts).  Any NAT
implementation that doesn't do this is broken.

ICMP *errors* have no ID, but should be demultiplexed on the basis of the
embedded IP header from the associated *outgoing* packet.

					Fred Wright