From owner-freebsd-questions  Fri Nov 21 18:43:47 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA06110
          for questions-outgoing; Fri, 21 Nov 1997 18:43:47 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA06075
          for <questions@freebsd.org>; Fri, 21 Nov 1997 18:43:40 -0800 (PST)
          (envelope-from brian@awfulhak.org)
Received: from gate.lan.awfulhak.org (localhost [127.0.0.1])
	by awfulhak.demon.co.uk (8.8.7/8.8.7) with ESMTP id CAA05112;
	Sat, 22 Nov 1997 02:32:20 GMT
	(envelope-from brian@gate.lan.awfulhak.org)
Message-Id: <199711220232.CAA05112@awfulhak.demon.co.uk>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Ben Hockenhull <benh@blues.jpj.net>
cc: questions@freebsd.org
Subject: Re: NAT+registered networks 
In-reply-to: Your message of "Thu, 20 Nov 1997 10:09:18 EST."
             <Pine.BSI.3.95.971120100808.11183B-100000@blues.jpj.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 22 Nov 1997 02:32:20 +0000
From: Brian Somers <brian@awfulhak.org>
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> I'm attempting to use a FreeBSD box to assist in my transition from
> registered addresses to unregistered addresses.  I have approx 1000 nodes
> with registered addresses that will be, over time, switched to addresses
> in the 10.x.x.x range.
> 
> So, what I need to do is put this FreeBSD box in front of everything until
> the entire thing is transitioned. The external interface is a registered
> address, and the internal interface has both an unregistered and a
> registered address assigned to it.  What it needs to do is to NAT
> unregistered addresses and pass registered addresses.  Will this work?  I
> can get unregistered addresses on the 192.168.x.x network to NAT fine;
> it's the registered address passing and NAT of 10.x.x.x addresses that
> does not work.  Any ideas?
> 
> /etc/natd.conf:
> 
> unregistered_only yes
> alias_address 199.217.x.x
> log yes
> 
> /etc/rc.firewall:
> 
> /sbin/ipfw -f flush
> /sbin/ipfw add 3000 divert 6668 all from 10.0.0.0/8 to any via ep0
> /sbin/ipfw add 4000 divert 6668 all from any to 10.0.0.0/8 via ep1
> /sbin/ipfw add 65000 pass all from any to any

If your Internet interface is ep0, then the divert lines should be

/sbin/ipfw add 3000 divert 6668 all from 10.0.0.0/8 to any via ep0
/sbin/ipfw add 4000 divert 6668 all from any to 10.0.0.0/8 via ep0

although I guess the line with ep1 would suffice if it sees all of 
the 10/8 traffic that passes through ep0.

Apart from that, the unregistered_only option treats 10.0.0.0/8, 
172.16.0.0/16 and 192.168.0.0/16 in exactly the same way 
(see /usr/src/lib/libalias/alias.c).

> 
> Thanks for any help.
> 
> Ben
> 
> --
> Ben Hockenhull
> benh@jpj.net
> 
> 

-- 
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
      <http://www.Awfulhak.org>
Don't _EVER_ lose your sense of humour....