Date: Wed, 18 Oct 2006 10:22:42 -0400 From: "Nathan Vidican" <nathan@envieweb.net> To: questions@freebsd.org Subject: selective NAT/gateway Message-ID: <20061018140538.M24325@envieweb.net>
next in thread | raw e-mail | index | archive | help
Got a bit of an interesting question, wondering how others out there might have dealt with this: we have a single machine acting as router/firewall/nat gateway via DSL. It routes a small (/29) subnet of static IP's to our servers, and routes between internal (non-public) subnets. Internet traffic is then routed via NAT translation over the PPPoE link. We then use a proxy server to cache most of our web traffic. Works well, and has been for several years now but, we need to be able to deny traffic through the NAT gateway based on IP addresses or ranges. Given the following example: Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE -> 192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1 (each of these private subnets is a physically different network, connected via an independant ethernet interface - multiport intel 'fxp' cards) Internal machines -> 192.168.0.100 - 192.168.0.200 Select Internal machines -> 192.168.0.10 - 192.168.0.50 Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway (enabling internet access via NAT), but deny machines in the 192.168.0.100 - 192.168.0.200 range from using NAT - yet still allow them to use 'regular' routes, (given the example below, want to allow 192.168.0.X to connect to/from 192.168.3.X for instance). So the long-question shortened, is how do I deny NAT traffic for specific IP addresses, without blocking those addresses from routing through 'normal' routes to other subnets. Essentially, I need an IPFW rule to block traffic from 192.168.0.X through via NAT, or don't I ? Any ideas/comments/suggestions greatly appreciated, (note the above is an example, not actual addresses). -- Nathan Vidican nathan@vidican.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061018140538.M24325>