From owner-freebsd-questions@FreeBSD.ORG Wed Nov 28 03:19:55 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD4E616A418 for ; Wed, 28 Nov 2007 03:19:55 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 7944A13C455 for ; Wed, 28 Nov 2007 03:19:55 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id lAS3JrpN008066; Tue, 27 Nov 2007 19:19:54 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jerahmy Pocott" Date: Tue, 27 Nov 2007 19:21:36 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 In-Reply-To: <219A86D3-597D-4369-A0DA-5D1F14D80D43@optusnet.com.au> Importance: Normal Cc: FreeBSD Questions Subject: RE: Difficulties establishing VPN tunnel with IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 03:19:55 -0000 > -----Original Message----- > From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] > Sent: Tuesday, November 27, 2007 7:07 AM > To: Ted Mittelstaedt > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > > On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: > >> -----Original Message----- > >> From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] > >> Sent: Sunday, November 25, 2007 4:48 AM > >> To: Ted Mittelstaedt > >> Cc: FreeBSD Questions > >> Subject: Re: Difficulties establishing VPN tunnel with IPNAT > >> > >> > >> Perhaps, but I'v heard a lot of good things about IPF and IPNAT, > >> especially since the nat is all in kernel where as natd is > >> userland, so > >> there is a slight performance boost possibly there as well.. > >> > > > > I will address this one point here since it's enough to make > > someone scream, it's such an old chestnut. > > > > natd is always criticized because going to userland is slow. So, > > people who have slowness problems think that is the issue. > > > > In reality, the problem is that the DEFAULT setup and man page > > examples for natd use the following ipfw divert rule: > > > > /sbin/ipfw -f flush > > /sbin/ipfw add divert natd all from any to any via ed0 > > /sbin/ipfw add pass all from any to any > > > > This produces a rule such as the following: > > > > 00050 divert 8668 ip from any to any via de0 > > > > The problem though, is this is wrong. What it is doing is that > > ALL traffic that comes into and out of the box - no matter what > > the source and destination is - will be passed to the natd translator. > > > > What you SHOULD be using is a set of commands such: > > > > ipfw add divert natd ip from any to [outside IP address] in recv > > [outside > > interface] > > ipfw add divert natd ip from not [outside IP address] to any out recv > > [inside interface] xmit [outside interface] > > That does make a lot of sense! > > How ever the 2nd rule is slightly confusing me.. Shouldn't it be > something > like: divert natd ip from [internal net range] to any out via > [outside if]? > As I recall the "via" keyword was a later addition to ipfw, the way you wrote it is the same thing - the earlier form I used works on both old and new ipfw (not that it probably matters much nowadays) Use whichever is more clear to you - the gist of it is to use the ipfw rulesets to keep the traffic that doesen't need attention of natd, out of userland. Ted