From owner-freebsd-questions Wed Oct 9 0:29:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6153837B401 for ; Wed, 9 Oct 2002 00:29:12 -0700 (PDT) Received: from kepa.kepa.fi (kepa.kepa.fi [62.142.22.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2647943E3B for ; Wed, 9 Oct 2002 00:29:11 -0700 (PDT) (envelope-from kim.helenius@kepa.fi) Received: from kepa.fi (k1.kepa.fi [62.142.22.208] (may be forged)) by kepa.kepa.fi (8.12.3/8.12.3) with ESMTP id g997TRTV003862; Wed, 9 Oct 2002 10:29:28 +0300 (EEST) (envelope-from kim.helenius@kepa.fi) Message-ID: <3DA3DAD9.4020906@kepa.fi> Date: Wed, 09 Oct 2002 10:29:29 +0300 From: Kim Helenius User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, ja MIME-Version: 1.0 To: Josh Paetzel Cc: JoeB , freebsd-questions@FreeBSD.ORG Subject: Re: Puzzling NATD problem - revisited References: <3DA2D9D0.6050908@kepa.fi> <20021009061602.GE57870@ns1.webwarrior.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thank you both for your answers. The campus network uses public ip address space, sorry for not including that information. The fact why I included it in between the internet and the natd gateway is that if there's some weirdness in it, I somehow have to compensate for it in FreeBSD. As I stated, Linux users haven't had any problems with nat in the same network. Even I had working nat in the same network two years ago (on FreeBSD 4.1-4.3 I think) so I'm trying to pinpoint the cause for this extremely peculiar behaviour. Josh Paetzel wrote: >On Tue, Oct 08, 2002 at 03:28:28PM -0400, JoeB wrote: > > >>You state Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>Internet is public ip address, if Campus Network private ip address then >>you can not nat them again, if Campus Network is public ip address then you >>should nat x11 for the private ip address on the lan behind the FBSD box. >> >> >That's not correct. I've seen two layers of NATD work just fine in an office >building environment where the gateway to the office was natting ips to the >individual clients, and then clients were natting again to hang multiple >machines off the one ip they got from the office gateway. > >Josh > > "You should nat x11 for the private ip address on the lan behind the FBSD box." I always thought natd should run on the external interface? How can natd work perfectly if I'm running it on a wrong interface? > > >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kim Helenius >>Sent: Tuesday, October 08, 2002 9:13 AM >>To: freebsd-questions@FreeBSD.ORG >>Subject: Puzzling NATD problem - revisited >> >>The setting: >> >>Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>A custom kernel build including the following options: >>options IPFIREWALL >>options IPDIVERT >>Used the command: >>sysctl net.inet.ip.forwarding=1 >>And started natd with natd -interface xl0 >> >>Then did, straight from the manpage, the following firewall rules: >>/sbin/ipfw -f flush >>/sbin/ipfw add divert natd all from any to any via xl0 >>/sbin/ipfw add pass all from any to any >> >>Now NAT works perfectly for the internal host, but (almost) all TCP >>connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work >>perfectly. I've tried this on two different FreeBSD machines in the same >>network with identical results. If I remove the divert rule, everything >>works perfectly, except of course for the NAT. There have been no similar, >>puzzling effects on any Linux hosts I know of in the same network. Therefore >>I'm sure there's some knob I haven't pushed yet :) >> >>I'm aware this doesn't make much of a firewall but I'd like to get natd >>working before I run the firewall script. >> >>-- >>Kim Helenius >>kim.helenius@kepa.fi >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> >> -- Kim Helenius kim.helenius@kepa.fi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message