Date: Wed, 2 Feb 2000 09:21:59 -0800 (PST) From: Philip Hallstrom <philip@adhesivemedia.com> To: Scott Worthington <SWorthington@hsag.com> Cc: freebsd-questions@freebsd.org Subject: Re: Running natd on multiple interfaces??? (SOLUTION) Message-ID: <Pine.BSF.4.10.10002020903320.44130-100000@mug.adhesivemedia.com> In-Reply-To: <s8980120.046@internal.hsag.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all - The following is what I did to get natd running on multiple interfaces and my reasons for why I wanted this. I don't think I can draw this in ASCII so take a look at the following for the parts of my network that are relevant. http://www.adhesivemedia.com/~philip/natd.gif Setup: We have a DSL connection from NWLink. We have two static IP addresses. The firewall/natd run on henrys. natd has been configured to redirect address 207.202.159.73 to 10.1.0.3 (to mug.i). mug is our web server (www.adhesivemedia.com). The problem I was having was with DNS. From the outside (all of you) DNS says that www.adhesivemedia.com -> 207.202.159.73. Works just fine. However, from any of my internal machines (ie. "Clients"), if we try to go to www.adhesivemedia.com (207.202.159.73) we end up on the ed0 interface of henrys which of course is not the webserver. This is because in order to henrys to redirect 207.202.159.73 it has to have it as an alias on it's interface. So, to fix this I set up another DNS server on anw which believed that it was a master for adhesivemedia.com. Within that I told it that www.adhesivemedia.com -> 10.1.0.3. Everything works just fine except that I now have two "master" adhesivemedia.com servers that I have to keep straight and it was driving me nuts. I also couldn't use nsupdate (or, I could, but I'd have to do it twice, and once from an external machine). So, to fix this I am now running natd on the xl0 interface as well and having it redirect 207.202.159.73 to 10.1.0.3. This allowed me to stop the DNS server on anw. Now all machines everywhere see www.adhesivemedia.com as 207.202.159.73. The only catch is that other machines on the 10.1.0.1/24 network (along side mug.i) can't reach www.adhesivemedia.com, but that isn't really a problem as they all belong to the i.adhesivemedia.com domain so they all look for www.i.adhesivemedia.com which is an internal domain and DNS is handled correctly. The only place I've found that it's a problem is if that client tries to use nsupdate (kind of ironic :) Here's what I actually did to get things to work: - set up normal firewall/natd stuff on ed0. To set up the second natd, I do: /sbin/ipfw add 101 divert 8669 ip from any to any via xl0 ${natd_program} -n xl0 -p 8669 ${natd_flags} The above variables come out of /etc/rc.conf and are set to: natd_flags="-redirect_address 10.1.0.3 207.202.159.73" natd_program="/sbin/natd" The only catch is to make sure I only have redirect_address flags in my natd_flags line. I start this out of /usr/local/etc/rc.d. Works like a charm. -philip On Wed, 2 Feb 2000, Scott Worthington wrote: > Would you mind posting the _final_ complete solution to > freebsd-questions? > > >>> Philip Hallstrom <philip@adhesivemedia.com> 02/02/00 09:39AM >>> > I got it working... my firewall rule was only grabbing half of the packets > which was causing problems... I didn't use -reverse though, just did it > normally. > > Works great! > > (I got tired of maintaining an "internal master dns" an an "external > master dns" server). > > :) > > Thanks! > > On Wed, 2 Feb 2000, Ruslan Ermilov wrote: > > > On Tue, Feb 01, 2000 at 10:34:19AM -0800, Philip Hallstrom wrote: > > > Hi - > > > I have a rather strange question which needs some explaining. I > > > need to run natd on two interfaces and can't get it to work right. > > > > > > Here's my situation: > > > > > > > > > firewall: > > > - ed0: 1.2.3.4, 1.2.3.5 (alias). External interface. > > > - xl0: 10.0.0.1. Internal interface with my desktops on it. > > > - xl1: 10.1.0.1. Internal interface with my servers. > > > - natd is setup to redirect 1.2.3.5 to 10.1.0.2 (my www server). > > > > > > > > > Here's my problem. DNS is setup so that www->1.2.3.5. This will not work > > > from machines on the xl0 interface since natd only redirects traffic > > > coming into ed0. On xl0, 1.2.3.5 ends up at my firewall, not my www > > > server. (I know I can run "fix" this with some fancy DNS, but it won't > > > really solve my problem) > > > > > > How can I setup natd to run on xl0 and *only* have it redirect 1.2.3.5 to > > > 10.1.0.2? Is that possible? I tried several different combinations of > > > options (including -reverse, -proxy_only, -n xl0, -redirect_addres ....) > > > but couldn't get any of it to work. > > > I would prefer not to have the IP's "behind" xl0 get remapped to > > > 10.0.0.1 if I can help it. > > > > > 1. Add the following firewall rules: > > > > divert XXX ip from any to 1.2.3.5 in via xl0 > > divert XXX ip from 10.1.0.2 to any out via xl0 > > > > where XXX is some divert(4) port on which second natd(8) will be run. > > > > > > 2. Start second natd(8) the following way: > > > > natd -p XXX -n xl0 -reverse -redirect_address 10.1.0.2 1.2.3.5 > > > > > > 3. If this does not work, please add the `log' keyword to the ipfw(8) > > rules in step 1, and `-v' flag to natd(8) in step 2. script(1) > > output from natd(8), make a connection to 1.2.3.5 from somewhere > > behind xl0, and send me the output of natd(8) and dmesg(8) output > > from the ipfw(8) rules in step 1. > > > > > > -- > > Ruslan Ermilov Sysadmin and DBA of the > > ru@ucb.crimea.ua United Commercial Bank, > > ru@FreeBSD.org FreeBSD committer, > > +380.652.247.647 Simferopol, Ukraine > > > > http://www.FreeBSD.org The Power To Serve > > http://www.oracle.com Enabling The Information Age > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10002020903320.44130-100000>