I've been going crazy trying to get this working. Here's the situation: we have a Solaris 10 box that connects an internal network to an external network. We're using ipf/ipnat on it. We've added a couple of new boxes to the internal network (192.168.1.100, .101) and want to be able to get to port 80 on them from the external network (say, at ports 81 and 82). We'd also like to allow the internal boxes to get to the rest of the world using NAT. ipf/ipnat seems like it can do this.
Here's an ifconfig -a from the Solaris box:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
ether 8:0:27:b6:64:40
e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255
ether 8:0:27:24:f0:95
e1000g2: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 4
inet 10.0.4.15 netmask ffffff00 broadcast 10.0.4.255
ether 8:0:27:90:3c:a
e1000g0 is connected to the external network. e1000g1 is connected to the internal network. e1000g2 is connected to the Internet.
I've got these rules in ipnat.conf:
map e1000g1 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:20000
map e1000g1 192.168.1.0/24 -> 0/32
rdr e1000g1 0.0.0.0/0 port 81 -> 192.168.1.100 port 80
ipf.conf is configured to allow all traffic.
Network connectivity is solid. Everything is connected the way it's supposed to be and I can get to everything from everywhere I'd expect to be able to.
Here's the problem: my maps and rdrs don't work. I can try to do something that gets me to the outside from the internal box (192.168.1.100) and I get this in ipnat -l, but the connection doesn't actually work:
List of active MAP/Redirect filters:
map e1000g1 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:20000
map e1000g1 192.168.1.0/24 -> 0.0.0.0/32
rdr e1000g1 192.168.0.0/24 port 81 -> 192.168.1.100 port 80 tcp
List of active sessions:
MAP 192.168.1.1 <- -> 192.168.1.1 [192.168.1.100]
If I try to get to http://192.168.0.2:81/ from the external network, though, I get no new "active sessions" entry from ipnat -l (and obviously the page doesn't load).
Any thoughts as to what I'm doing wrong here? Hopefully it's something stupid I've just overlooked. I've spent way more time on this than I'd hoped to when I started. I've tried any number of variations and have Googled extensively to no avail.
Any help is appreciated.