Date: Fri, 25 Jul 2003 00:35:46 -0400 From: Jim Durham <jim.durham@nepinc.com> To: freebsd-questions@freebsd.org Subject: natd and redirect_address Message-ID: <200307250035.46305.jimd@nepinc.com>
next in thread | raw e-mail | index | archive | help
We have a FreeBSD machine serving as a NAT gateway for a bunch of computers on a LAN connected to the 2nd network interface the FreeBSD machine. All this works very well using natd and IPDIVERT in the kernel. One of the machines on the inside LAN now needs to be accessable from the internet (which is the outside network interface of the FBSD box). Following the handbook and the natd man page, we added an ip alias for a 2nd public IP to the outside interface and added a rule to natd.conf to redirect packets coming in addressed to the new IP to the inside machine. ( redirect_address privateIP publicIP ) using the new outside IP and the LAN IP of the machine we were trying to see on the LAN.. We set the netmask of the new alias to 255.255.255.255 and the netmask of the "primary" IP to 255.255.255.128 so there was no overlap in the netmasks. To test the setup, we ran VNC server on the inside machine and connected from the 'net to the new public IP. We got connected, but there appears to be no video coming back from the inside machine. Mouse and keyboard are OK, anything coming back is not happening. According to our reading of the docs, this "static NAT" is supposed to be symmetrical. It appears that it is not totally so. We had a similar experience trying to use "redirect_port" for another application running on a LAN machine. It almost worked. In that case, we recorded the inside machine trying to talk to a database server on the 'net with tcpdump and couldn't see where anything was being blocked, but it just didn't work. In that case, the same machine directly on a public IP would work just fine with the application. By the way, if we made a connection using VNC's "-via" option to open a secure tunnel to the FreeBSD machine and than connect over the LAN without redirection, everything worked fine, so this doesn't seem to be a VNC problem. If you fire up a web browser on the inside machine and connect to a web page that reports your IP, we get the 2nd IP of the FreeBSD machine's outside interface, which is as it should be. Can anyone shed any light on why this doesn't work? -Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307250035.46305.jimd>