From owner-freebsd-questions@FreeBSD.ORG Sun Aug 10 14:39:09 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 135A537B401 for ; Sun, 10 Aug 2003 14:39:09 -0700 (PDT) Received: from mail.smartnet.se (mail.smartnet.se [193.12.242.21]) by mx1.FreeBSD.org (Postfix) with SMTP id A004043FAF for ; Sun, 10 Aug 2003 14:39:07 -0700 (PDT) (envelope-from johannes2@smartnet.se) Received: (qmail 4512 invoked from network); 10 Aug 2003 21:39:01 -0000 Received: from as14-5-4.mt.g.bonet.se (HELO ?192.168.0.3?) (217.215.46.103) by 192.168.0.21 with SMTP; 10 Aug 2003 21:39:01 -0000 Mime-Version: 1.0 X-Sender: johannes2@smartnet.se@mail.smartnet.se Message-Id: Date: Sun, 10 Aug 2003 23:38:57 +0200 To: freebsd-questions@freebsd.org From: Johannes Angeldorff Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: ipfw / natd does not allow lan traffic to reach external numbers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2003 21:39:09 -0000 Hi, I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here a list with some details: *) The FreeBSD box uses natd and ipfw, and have two external IP:s, lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. *) natd is used to redirect access to external IP addresses and ports to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, where for example webservers are located. *) natd rules: natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20 -redirect_port tcp 192.168.0.21:25-52 25-52 -redirect_port udp 192.168.0.21:25-52 25-52 -redirect_port tcp 192.168.0.30:80 80 -redirect_port udp 192.168.0.30:80 80 -redirect_port tcp 192.168.0.21:54-79 54-79 -redirect_port udp 192.168.0.21:54-79 54-79 -redirect_port tcp 192.168.0.21:81-722 81-722 -redirect_port udp 192.168.0.21:81-722 81-722 -redirect_port tcp 192.168.0.21:3306-4559 3306-4559 -redirect_port udp 192.168.0.21:3306-4559 3306-4559" *) ipfw lets things through: 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any Problem: Most things works just fine, external access are redirected to correct ports, and the webservers work just fine. BUT the problem comes when a box on the LAN tries to reach a site residing on 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get error: "Unable to connect to remote host". Connecting from a LAN machine to the same site using the _internal_ IP works fine. Connecting to other external IPs also works fine. I want to be able to connect from LAN boxes to the external IP:s, for example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very thankful for all comments on this matter. Regards, Smartnet Sverige AB Johannes Angeldorff