From owner-freebsd-hackers Sun Jan 21 17:22:30 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from arachna.com (dnai-216-15-61-88.cust.dnai.com [216.15.61.88]) by hub.freebsd.org (Postfix) with SMTP id EED0337B401 for ; Sun, 21 Jan 2001 17:22:11 -0800 (PST) Received: (qmail 7123 invoked by uid 1001); 22 Jan 2001 01:26:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Jan 2001 01:26:52 -0000 Date: Sun, 21 Jan 2001 17:26:52 -0800 (PST) From: Ian Kallen To: freebsd-hackers@freebsd.org Subject: Re: accessing an outside IP from inside a NAT net In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Since I hate finding unanswered questions in the archive, I'm posting the resolution. The previous answers that suggested subnetting the internal network and setting up additional port diversions for the webserver in the firewall rules didn't do it, certainly not in combination. However, setting up another port diversion for natd on the internal network did the trick. The external net NIC is using the ed driver, the internal ep, so the firewall rules now simply have # wipe the slate /sbin/ipfw -f flush # outside net /sbin/ipfw add divert natd all from any to any via ed0 # inside net, this is what needed to be added /sbin/ipfw add divert natd all from any to any via ep0 # whatever other specific packet processing rules... /sbin/ipfw add pass all from any to any I had to poke around at natd and ipfw a whole lot to arrive at this conclusion, IMO the additional rule for the internal net should be in the example rc.firewall and/or in the /usr/share/examples/etc examples. cheers, -Ian -- Ian Kallen | AIM: iankallen | efax: (415) 354-3326 On Fri, 19 Jan 2001, Ian Kallen wrote: > > I'd like a hand figuring out how to access resources on the internal side > of a NAT net from within it without doing something kludgey with DNS. > i.e. suppose I run natd with a configuration like this: > > # begin /etc/natd.conf > use_sockets > same_ports > port 8668 > deny_incoming no > log > redirect_port tcp 10.0.0.128:80 206.169.18.10:80 > # end /etc/natd.conf > > Now if the DNS for the web server www.foo.com running on 10.0.0.128 > directs a browser on the 10.0.0.0 net to 206.169.18.10, it doesn't get > routed back to 10.0.0.128; it just hangs (I'm acutally not sure what's > happening there, the connction never succeeds). Is there a nice way to > handle this case without running a dummy DNS just for the 10.0.0.0 > internal net? > > thanks, > -Ian > > -- > Ian Kallen | AIM: iankallen | efax: (415) 354-3326 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message