Date: Wed, 09 Oct 2002 10:29:29 +0300 From: Kim Helenius <kim.helenius@kepa.fi> To: Josh Paetzel <friar_josh@webwarrior.net> Cc: JoeB <barbish@a1poweruser.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Puzzling NATD problem - revisited Message-ID: <3DA3DAD9.4020906@kepa.fi> References: <3DA2D9D0.6050908@kepa.fi> <MIEPLLIBMLEEABPDBIEGGEGJCMAA.barbish@a1poweruser.com> <20021009061602.GE57870@ns1.webwarrior.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you both for your answers. The campus network uses public ip address space, sorry for not including that information. The fact why I included it in between the internet and the natd gateway is that if there's some weirdness in it, I somehow have to compensate for it in FreeBSD. As I stated, Linux users haven't had any problems with nat in the same network. Even I had working nat in the same network two years ago (on FreeBSD 4.1-4.3 I think) so I'm trying to pinpoint the cause for this extremely peculiar behaviour. Josh Paetzel wrote: >On Tue, Oct 08, 2002 at 03:28:28PM -0400, JoeB wrote: > > >>You state Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>Internet is public ip address, if Campus Network private ip address then >>you can not nat them again, if Campus Network is public ip address then you >>should nat x11 for the private ip address on the lan behind the FBSD box. >> >> >That's not correct. I've seen two layers of NATD work just fine in an office >building environment where the gateway to the office was natting ips to the >individual clients, and then clients were natting again to hang multiple >machines off the one ip they got from the office gateway. > >Josh > > "You should nat x11 for the private ip address on the lan behind the FBSD box." I always thought natd should run on the external interface? How can natd work perfectly if I'm running it on a wrong interface? > > >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kim Helenius >>Sent: Tuesday, October 08, 2002 9:13 AM >>To: freebsd-questions@FreeBSD.ORG >>Subject: Puzzling NATD problem - revisited >> >>The setting: >> >>Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>A custom kernel build including the following options: >>options IPFIREWALL >>options IPDIVERT >>Used the command: >>sysctl net.inet.ip.forwarding=1 >>And started natd with natd -interface xl0 >> >>Then did, straight from the manpage, the following firewall rules: >>/sbin/ipfw -f flush >>/sbin/ipfw add divert natd all from any to any via xl0 >>/sbin/ipfw add pass all from any to any >> >>Now NAT works perfectly for the internal host, but (almost) all TCP >>connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work >>perfectly. I've tried this on two different FreeBSD machines in the same >>network with identical results. If I remove the divert rule, everything >>works perfectly, except of course for the NAT. There have been no similar, >>puzzling effects on any Linux hosts I know of in the same network. Therefore >>I'm sure there's some knob I haven't pushed yet :) >> >>I'm aware this doesn't make much of a firewall but I'd like to get natd >>working before I run the firewall script. >> >>-- >>Kim Helenius >>kim.helenius@kepa.fi >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> >> -- Kim Helenius kim.helenius@kepa.fi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DA3DAD9.4020906>