On Thu, 27 May 2004, Manuel Kasper wrote:
> On 27.05.2004 09:07 -0400, nicolas bussieres wrote:
> 
> >  have several pc's connected to a m0n0wall and we are using network
> > management tools , but when 2 users on different pcs try to ping
> > the same external ip address (216.109.117.205 , which is yahoo for
> > exemple) , only one get get a responce , and it take a long while
> > after he stops for the other to start pinging
> > 
> > is there a solutions ?
> 
> No. That's because ICMP doesn't use port numbers, and as such when
> the reply from 216.109.117.205 comes in, ipnat doesn't know which LAN
> host to send it to. Some NAT implementations try to be clever about
> this, but ipnat (which is used in m0n0wall) isn't. I don't think this
> is a big restriction, though... There are no such problems with TCP
> or UDP.

Although ICMP doesn't use "port numbers", the request and reply forms have
a 16-bit "ID", which is conceptually more or less equivalent to the
TCP/UDP originating port number, and should be treated as such by NAT
(including possibly remapping it to avoid conflicts).  Any NAT
implementation that doesn't do this is broken.

ICMP *errors* have no ID, but should be demultiplexed on the basis of the
embedded IP header from the associated *outgoing* packet.

					Fred Wright