From owner-freebsd-questions Mon Jan 27 21:42:25 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4788E37B401 for ; Mon, 27 Jan 2003 21:42:22 -0800 (PST) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 607E843E4A for ; Mon, 27 Jan 2003 21:42:21 -0800 (PST) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h0S5gAFH065415; Mon, 27 Jan 2003 22:42:10 -0700 (MST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h0S5g9n2065412; Mon, 27 Jan 2003 22:42:09 -0700 (MST) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Mon, 27 Jan 2003 22:42:07 -0700 (MST) From: Nick Rogness To: Vikash Badal - PCS Cc: "'freebsd-questions@FreeBSD.ORG'" Subject: Re: Source nat question (ipfw and natd) Revised In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04E4C219@PSICS001> Message-ID: <20030127221735.S64691-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 28 Jan 2003, Vikash Badal - PCS wrote: > Greetings, > > My current natd.conf is as follows : > -------------------------------------------------------------- > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.168.21.47 > ------------------------------------------------------------- > When i add the following maping : > redirect_address 10.136.236.18 192.168.15.47 > the source address for connections to 192.168.15.0/24 > is 192.168.25.61 > > what I want to do is : if i initiate a connection to 192.168.15.0/24 > from 10.136.238.18 then i need the source address to be 192.168.15.47 > > If i initiate a connection to 192.168.28.0/24 from 10.136.238.18 then i > need the source address to be 192.168.28.61 > > network layout > > 192.168.16.0:255.255.240.0 --------------- > 192.168.15.0:255.255.255.0 ---| | > | | > | HUB | > | | > vx0 === 192.168.15.47 (alias address) 192.168.28.61 > > xl0 === 10.136.236.5 > | > | > | > 10.136.236.0/24 > > > The machines on 192.168.x.x only hit 10.136.236.[18/19/20] > depending the application required. The source address of packets > from the 192.168.x.x remains unaltered. > > The machines on the 10.136.236.0 network have a static route > to the 192.168.x.x network. > > The translations work for : > 10.136.236.20 to 192.168.20.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.28.61 > 10.136.236.19 to 192.168.21.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.20.47 > > When i try to connect from 10.136.236.18 to 192.168.15.0/24, > the source address is 192.168.28.61. I needed the source > address to be 192.168.15.47 only when i connect to 192.168.15.0/24 > > If i change the order of the redirect rules in /etc/natd.conf : > i.e > redirect_address 10.136.236.18 192.168.15.47 > is place before > redirect_address 10.136.236.18 192.168.28.61 > > then the translation to 192.168.28.0/24 no longer works but the > translation for 192.168.15.0/24 works. Yes, this is true as it will use the first entry in natd.conf for the translation. The problem is, you are thinking of the translations backwards. Are only 3 machines on the 10.136 segment talking to only 3 machines on the 192 segment? Does communication have to go both ways, ie. do the 192.168 machines need to talk to 10.136 machines? Also, you can run multiple copies of natd for the same interface (different port needed) and direct packets to the different natds based on the firewall rules applied: Firewall rules and Corresponding Natd #1( on port 8668): # ipfw divert 8668 ip from 10.136.236.18/32 to 192.168.15.0/24 out via vx0 # ipfw divert 8668 ip from 192.168.15.0/24 to 192.168.15.47/32 in via vx0 # natd -p 8668 -n vx0 -redirect_address 10.136.236.18 192.168.15.47 Firewall rules and Corresponding natd #2 (port 8669): # ipfw divert 8669 ip from 10.136.236.18/32 to 192.168.28.0/24 out via vx0 # ipfw divert 8669 ip from 192.168.28.0/24 to 192.168.28.61/32 in via vx0 # natd -p 8669 -n vx0 -redirect_address 10.136.236.18 192.168.28.61 Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message