Date: Wed, 27 Jan 1999 07:25:19 -0800 From: "David Burger" <david@unet.tm> To: "Derek Jewett" <djewett@snowcrest.net>, <questions@FreeBSD.ORG>, "Ludwig Pummer" <ludwigp@bigfoot.com> Subject: Re: Static NAT Message-ID: <001a01be4a09$ab753960$cd230b0a@470cdt.hctg.saic.com>
next in thread | raw e-mail | index | archive | help
Ludwig, Thank you for the information. I messed around with it last night and after about two hours of fussing the solution jumped out at me. The thing that bothered me is how simple it was. All I had to do was alias the second IP, start up natd with a -a pointing to the primary address of the NIC, and add a redirect_address line for the second address of the NIC and pointing to the inside machine. My natd startup file looks like this: (IP addresses have been changed to protect the innocent ;-P ) alias_address 24.0.0.12 #Binding for outside address port 8668 #Port number to use (8668 is default) redirect_address 192.168.0.10 24.0.0.3 #Redirect address 1 to address 2 This allows the machine at the internal address of 192.168.0.10 to use the IP 24.0.0.3 while the other machines use the 24.0.0.12. I tested this by pointing my browser to www.4dcomm.com (they have a little blurb there that tells you what IP you are coming from.) Thank you very much for the help Ludwig. I just needed some kind of motivation to try it out. David -----Original Message----- From: Ludwig Pummer <ludwigp@bigfoot.com> To: David Burger <david@unet.tm>; Derek Jewett <djewett@snowcrest.net>; questions@FreeBSD.ORG <questions@FreeBSD.ORG> Date: Monday, January 25, 1999 3:37 PM Subject: Re: Static NAT At 02:34 PM 1/25/99 , David Burger wrote: >I am trying to make a setup exactly like yours. You mention a Firewall >setup to make the communications from the static Nat machine come from the >proper IP address. Can you tell me how to configure that? Well, start with the walk-through given by the natd manpage. Make sure natd works for all of the other machines first. Then work from there. I haven't actually done this completely myself. The way I have it set up, traffic coming in to 11.22.33.44 (see below for explanation of IPs) gets sent to 172.16.1.1, but traffic originating from 172.16.1.1 comes from 11.22.33.43. I'm going to be replacing my firewall system with another in a few weeks, so I'm procrastinating with making any changes in the meantime. This is assuming you use IPFW and natd. Your current rule in rc.firewall* is probably something like $fwcmd add divert natd from any to any via vx0 *This has been changed since 2.2.5, I think. I think after 2.2.5 there is an /etc/rc.conf setting to enable natd. I would disable that and do everything from your rc.firewall, since the rc.conf setting probably wasn't intended for an elaborate setup I was thinking of running 2 copies of natd, each listening on a seperate outside IP, and then listening on port natd and natd2 (you'd have to add natd2 to your /etc/services). So your rules would become $fwcmd add divert natd2 from 172.16.1.1 to any out via vx0 # this line is needed first, otherwise traffic from this machine would be # picked up by the next rule $fwcmd add divert natd from any to any out via vx0 # for all of the other machines on the network $fwcmd add divert natd from any to 11.22.33.43 in via vx0 # the order of this rule and the next doesn't matter. putting this rule # first makes sense if more traffic will be coming in to the other # machines on your network than to your 172.16.1.1, since packets # will match it first $fwcmd add divert natd2 from any to 11.22.33.44 in via vx0 172.16.1.1 is the IP of the machine on the inside which is going to get the static NAT traffic. 11.22.33.44 is the outside IP for the static NAT. 11.22.33.43 is the outside IP for the NAT for the whole subnet. The copy of natd that listens on the natd2 port would have just one rule: static nat from 11.22.33.43 to the inside IP. The other natd would be set up normally, except maybe to tell it to listen only on 11.22.33.43 (although the firewall rule makes that unnecessary). A disclaimer: I haven't actually tried this out. I'm making this up based on what I understand of firewall rules and nat settings. What I give here is meant to push you in the right direction, not give you an "answer" to implement without understanding. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01be4a09$ab753960$cd230b0a>