From owner-freebsd-net Tue Dec 4 23:52:34 2001 Delivered-To: freebsd-net@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id B131437B419 for ; Tue, 4 Dec 2001 23:52:26 -0800 (PST) Received: (qmail 7816 invoked from network); 5 Dec 2001 07:52:43 -0000 Received: from veedee.c7.campus.utcluj.ro (HELO veedee) (172.27.0.3) by gateway.c7.campus.utcluj.ro with SMTP; 5 Dec 2001 07:52:43 -0000 From: "veedee" To: "Arjan de Vet" Cc: "freebsd-net@freebsd.org" Date: Wed, 05 Dec 2001 09:51:18 +0200 Reply-To: "veedee" X-Mailer: PMMail 2000 Professional (2.20.2360) For Windows 2000 (5.1.2600) In-Reply-To: <20011204211807.A95642@adv.devet.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: ipnat Message-Id: <20011205075226.B131437B419@hub.freebsd.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for your help Arjan, the 0/0 finally worked :) I was testing the connection from one of the other servers in the buildings, and the server had a real IP address not 172.27.40.0/23 still like, so ipnat was NATing for it too. But after I added "map xl0 from 172.27.0.0/23 to y.y.y.y/32 -> 0/0", it worked. All the best, veedee. On Tue, 4 Dec 2001 21:18:08 +0100, Arjan de Vet wrote: >In article <20011204210510.A1833@c7.campus.utcluj.ro> you write: >># allow everything to the another building >>add allow ip from any to 172.27.40.0/23 >>add divert natd ip from any to any via xl0 >>add allow ip from any to any >I'm not familiar with natd but I guess this means that traffic towards >172.27.40.0/23 should not be NATted but the rest should. >>my internal network is 172.27.0.0/23 and the network in the other building is >>172.27.40.0/23. Their configuration is correct as they are able to >>masquerade with another building succesfully. Now, what we were doing is >>allow our workstations to use their services one with another. So a station >>from the other building (let's say 172.27.40.133) was able to ftp, telnet, >>ssh to a station in my building (for instance 172.27.1.5). So what was sent >>to the other building was sent "un-masqueraded" (the divert rule came after allow). Also >>we had to add a route like: >>"route add -net 172.27.40.0 otherbuilding 255.255.254.0". >>-- ipnat.rules -- >>map xl0 172.27.0.0/23 -> x.x.x.x/32 proxy port ftp ftp/tcp >>map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 >Try something like this: >map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 >0/0 is a special directive to indicate that no NAT-ing should take place >(0/32 is shorthand for the current IP address of the xl0 interface, >useful if that address is obtained via DHCP). >The first two rules say that traffic from 172.27.0.0/23 towards >172.27.40.0/23 should not be natted (but the kernel ftp proxy is still >used in this case). The rest will be NAT-ed to x.x.x.x. > >..... > >Arjan > >-- >Arjan de Vet, Eindhoven, The Netherlands >URL : http://www.iae.nl/users/devet/ >Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message