Date: Mon, 11 Nov 2002 12:07:05 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= <freefabri@yahoo.it> To: freebsd-isp@freebsd.org Subject: two natd connections Message-ID: <20021111110705.81900.qmail@web20103.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello all I'll go straight to the problem
Network diagram:
____________
ADSL adsl | fbsd |192.168.1.1
ISP---router-----|ed0-GW-fxp0|----------LAN
10.0.0.1|___|fxp1___| 192.168.1.x
|195.
|223.20.100
|_______
|
HDSL(2Mb) Router fbsd DMZ
ISP--------cisco----bridge--HUB-------DMZ Servers
195.223.20.1
The fbsd gateway is configured as a natd machine
/etc/rc.conf:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="ed0"
natd_flags=""
/etc/rc.firewall:
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all
from any to any via ${natd_interface}
fi
;;
esac
esac
We have installed the new cable from the gateway
(fxp1) to the Dmz Hub in order that if a Client on the
LAN wants to go to some Dmz servers they don't go
trough the slow ADSL line but routed directly
to the dmz hub to reach the servers.
This also because the HDSL line (2MB) is cost
effective.
The gateway is a FreeBSD 4.5, and works well to route
the traffic from the Lan to internet
especially for http-traffic.
The real problem is that the new link to reach the dmz
internally (Gw-fxp1--->DMZ Hub) doesn't work at all.
If I do a netstat -rn on the gateway machine I can see
the routes to reach the dmz, and if I ping from the Gw
for example 195.223.20.4 it works well.
But from a Lan client It doesn't.
To solve the problem We tried to run on the GW:
natd -interface fxp1
in order to nat all the traffic to the dmz and put
another rule (number 53)
in rc.firewall like this:
--snip---
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
${fwcmd} add 53 divert natd all from any to any via
fxp1
fi
;;
--snip---
But it doesn't work, when we run the "natd -interface
fxp1" we receive this error:
"Unable to bind to divert socket address already in
use".
Is because there are two instances of natd running?
but we need two!
Is there any way to do what I want? The Lan clients
should always be able to reach internet
via the adsl link and if they want to "talk" to the
dmz servers they pass directly to them without
pass through ADSLlink---Internet---HDSLlink---dmz that
is cost effective.
Any help would be appreciated
Many thanks
______________________________________________________________________
Mio Yahoo!: personalizza Yahoo! come piace a te
http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021111110705.81900.qmail>