From owner-freebsd-stable Thu Sep 6 7:42:15 2001 Delivered-To: freebsd-stable@freebsd.org Received: from sgi04-e.std.com (sgi04-e.std.com [199.172.62.134]) by hub.freebsd.org (Postfix) with ESMTP id C3D3937B408 for ; Thu, 6 Sep 2001 07:42:09 -0700 (PDT) Received: from world.std.com (world-f.std.com [199.172.62.5]) by sgi04-e.std.com (8.9.3/8.9.3) with ESMTP id KAA32447862 for ; Thu, 6 Sep 2001 10:42:08 -0400 (EDT) Received: (from kwc@localhost) by world.std.com (8.9.3/8.9.3) id KAA04616; Thu, 6 Sep 2001 10:42:06 -0400 (EDT) Date: Thu, 6 Sep 2001 10:42:06 -0400 (EDT) From: Kenneth W Cochran Message-Id: <200109061442.KAA04616@world.std.com> To: freebsd-stable@freebsd.org Subject: NAT with >1 public interface still not working Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello: How do I "properly" set up NAT on a (gateway) system that "transmits" and "receives" on different interfaces? Briefly - Machine A receives on fxp0 & transmits on ppp0. I'd like to use a 2nd Ethernet on Machine A (fxp1) for the "NAT"ed/masqueraded network. Scenario: Machine A: - Running RELENG_4 as of 2001/09/01; tracking -stable roughly weekly (thus one reason I'm asking on -stable :). - Connected to a "hybrid" aka "1-way" cable-modem, - "Receives" via cablemodem/Ethernet (fxp0, config'ed as 10.0.0.11/24) - "Transmits/outgoing" via analog dial-modem & ppp(d). - "Real" ip-address is established by (kernel) pppd (ppp0, *not* tun0), and is "officially" dynamic, even though it always (at least right now) gets the same ip-address. - Runs cache-only nameserver. - Has been running in this manner for about 1.5 years. - (recently) Has 2nd NIC (fxp1), connected to hub for private network. Machine B: - Has private ip-address on "its" fxp0. - Connected via hub to 2nd NIC (fxp1) on Machine A. I've followed the instructions from the Handbook, Section 18.10, Network Address Translation with regard to kernel & rc.conf configuration, etc. Here is the output from "ipfw list" on Machine A: 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any Machines A & B can talk to each other; I can ping & ssh from/to either one, & DNS works on both machines. However, while Machine A communicates "outside" (with the Internet) as usual, Machine B cannot. I'm beginning to wonder if FreeBSD can even *do* this, as I can't find anything in the natd manpage (or experimentation) that indicates natd can support >1 interface, and the manpages are silent about use of kernel ppp for this. (?) :-/ I'm thinking something needs to be tweaked in the ipfw and/or natd-config(s). Suggestions? Also, where would be the best place(s) to put these "customizations" (for example, so as to not be any more "disruptive" than necessary to the base-OS configs)? Does it matter whether the ppp(d)-link is up before/after ipfw/natd configuration? Of course, FAQ/-doc/readme pointers are quite welcome. :) Please cc replies to me. Many thanks, -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message