Date: Mon, 06 Dec 1999 10:09:09 +0800 From: "aLan Tait" <aLan@fil.net> To: Warren Welch <wwlists@intraceptives.com.au> Cc: Glen Foster <gfoster@gfoster.com>, danh@wzrd.com, "freebsd-isp@FreeBSD.ORG" <freebsd-isp@FreeBSD.ORG> Subject: Re: IPFilter and xntpd Message-ID: <384B1AC5.B84D93BA@fil.net> References: <199912051652.LAA18462@rr.gfoster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Warren! Can you (or anybody on the ISP list) help me with this... I posted the below questions about IPFilter and xntpd following your suggestion to use the RFC-1918 addresses BETWEEN the outside addresses and the inside addresses (ALL of which are globally routable). I only have two RFC-1918 addresses, one at each end of the router - gateway crossover cable. The problem is, I can't get gateway to xntpd to a public server on the other side of the router (I think because it uses a RFC-1918 address on the outgoing link - per your wonderful suggestion). Is there a way to let gateway be my network time server, or do I have to setup a different time server on the inside and point gateway back into it? Jaz, on the inside network, has no problem getting the time from tick.usno.navy.mil (all the way to the USA and back!). I just can't get gateway to get the tick. The answers I've received so far have assumed my "inside" network was using RFC-1918 addresses - which it is not. Everything is global addresses except the gateway - router link. Maybe IPNAT would work, but I cannot think how to map the routable "inside" address of the gateway to be the return IP for packets sent via the non routable "outside" address of gateway. I know this looks "backward" to most people - it did to me until I tried it. It works great - except for the xntpd tick problem. Do you run a system clock in your gateway? Hope someone can tell me the work around (if there is one!). Blessings, aLan Glen Foster wrote: > > What you want is NAT (Network Address Translation). This maps your > RFC-1918 addresses "inside" to one or more routable IP addresses on > the external interface of the router connecting the RFC-1918 network. > > NAT functionality is paired with ipfilter filtering functionality with > the ipnat program just as ipfw has natd as a companion. All of the > relevant man pages are required reading. > > The ipfilter home, <http://coombs.anu.edu.au/~avalon/ip-filter.html>, > has pointers to a FAQ, a how-to, and example uses as does the > directory /usr/src/contrib/ipfilter/rules/. > > Good luck, if you have specific questions about your configuration I'd > be happy to try and help you out. > > Glen Foster <gfoster@gfoster.com> > > >Date: Sun, 05 Dec 1999 23:55:37 +0800 > >From: "aLan Tait" <aLan@fil.net> > > > >I got IPFilter running in the gateway computer. Likewise, > >xntpd was working fine... until I switched it online and > >over to the RFC 1918 addresses between the router and the > >Gateway. > > > >Below is basically the rc.conf file (xl0's IP was changed > >for security). > > > >If I am on gw and try to ping, traceroute, or xntpd to the > >outside world, it fails... I think because it is passing > >the 192.186.1.2 address as the return. That, of course, > >also makes xntpd fail for other servers pointed at gw. If I > >point an inside server at outside our network, it works > >fine. Everything inside to the outside works as far as I > >can tell. I was just thinking it would be good if the gw > >was also our system clock... > > > >Can this be? Am I missing something that would allow the > >return packets to return to "123.45.102.1" instead of > >"192.168.1.2"??? > > > >Or should I just use a different server inside (like ftp), > >and then point gw at it? > > > >network_interfaces="ed1 xl0 lo0" > >ifconfig_ed1="inet 192.168.1.2 netmask 255.255.255.0" > >defaultrouter="192.168.1.1" > >ifconfig_xl0="inet 123.45.102.1 netmask 255.255.254.0" > >gateway_enable="YES" > >hostname="gw.fil.net" > >moused_type="NO" > >xntpd_enable="YES" > >xntpd_flags="-c /etc/ntp.conf" > > > >Outside > > | Provider link > >Router > > | 192.168.1.1 > > | > > | 192.168.1.2 > >GateWay > > | x.x.102.1 > > | > > | > > Hub > > > >aLan > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?384B1AC5.B84D93BA>