From owner-freebsd-net@FreeBSD.ORG Fri Apr 8 07:13:31 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E26E16A4CE for ; Fri, 8 Apr 2005 07:13:31 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F7E243D41 for ; Fri, 8 Apr 2005 07:13:31 +0000 (GMT) (envelope-from asegu_fbsdnet@borgtech.ca) Received: from localhost (localhost.borgtech.ca [127.0.0.1]) by borgtech.ca (Postfix) with ESMTP id 5883D54E2 for ; Fri, 8 Apr 2005 07:13:30 +0000 (GMT) Received: from borgtech.ca ([127.0.0.1])port 10024) with ESMTP id 12339-10 for ; Fri, 8 Apr 2005 07:13:24 +0000 (GMT) Received: from borgtech.ca (localhost.borgtech.ca [127.0.0.1]) by borgtech.ca (Postfix) with ESMTP id 0336454DF for ; Fri, 8 Apr 2005 07:13:22 +0000 (GMT) Received: from 161.53.212.4 (proxying for 127.0.0.1) (SquirrelMail authenticated user asegu.borgtech.ca) by borgtech.ca with HTTP; Fri, 8 Apr 2005 09:13:23 +0200 (CEST) Message-ID: <2402.161.53.212.4.1112944403.squirrel@borgtech.ca> Date: Fri, 8 Apr 2005 09:13:23 +0200 (CEST) From: "Andrew Seguin" To: freebsd-net@freebsd.org User-Agent: SquirrelMail/1.5.1 [CVS] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at borgtech.ca Subject: Freebsd NAT/Router design question/issue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 07:13:31 -0000 Good day, I've built up a freebsd router (no problems there) using 5.4-STABLE built after a cvsup 3 days ago. The router has three network cards (all fxp), and it routes mainly between a variety of subnets (using vlans) on fxp1, to a seperate subnet on fxp0. fxp2 has a private address (192.168.0.1/24) and it shall be our "public area" connection. (the main router, sitting at .1, routes to .14 for anything other then .0/28) So, in short it looks like this: default gateway: .1 fxp0: .14/28 (servers) fxp1 - vlan 3 - .17/28 (network printers) ... fxp1 - vlan 6 - .129/25 (bulk) fxp2: 192.168.0.1/24 I enabled dhcpd with a subnet for fxp2 .. no problem here as well. However, when I enable NAT... I am facing a design issue. I can run natd just fine at the moment, but I got it to work in what seems to me in a not so great fashion... I'm hopeing that somebody might have a recommendation for me1 Current setup: natd.conf: alias_address ---.---.---.14 unregistered only ipfw rule (early on): divert natd ip from any to any via fxp0 Problem: traffic for other subnets go through natd? It seems like this would force natd to work much harder then it needs to, not my ideal situation. Attempted setups (variants of the following): ifconfig fxp0 inet ---.---.---.13 netmask 0xffffffff +alias natd.conf: alias_address ---.---.---.13 ipfw rule (early on): # incomming traffic of the public network gets translated. divert natd ip from 192.168.0.0/24 to any via fxp2 # incomming traffic for the public network gets translated. divert natd ip from any to ---.---.---.13 Problem(s): - can't see any traffic "host ---.---.---.13" via fxp0 - With a computer connected to fxp2 (address from dhcp), I can ping 192.168.0.1, the other IPs of the router box, but pings to other equipment time out. natd.conf with reverse? crashes, looks like the bug "natd coredumps with -reverse due to bug in libalias" (http://www.freebsd.org/cgi/query-pr.cgi?pr=76839) hasn't been patched in 5.4-STABLE? If anybody has any suggestions for this where I don't end up with all the traffic going through natd, I'd greatly appreciate them!