From owner-freebsd-questions Wed Mar 13 19:36: 8 2002 Delivered-To: freebsd-questions@freebsd.org Received: from star-one.liberator.dyndns.org (dsl-64-34-177-185.telocity.com [64.34.177.185]) by hub.freebsd.org (Postfix) with ESMTP id 3F49A37B41E for ; Wed, 13 Mar 2002 19:35:55 -0800 (PST) Received: (from dholmes@localhost) by star-one.liberator.dyndns.org (8.9.3/8.9.2) id TAA02006; Wed, 13 Mar 2002 19:36:13 -0800 (PST) (envelope-from dholmes) From: Dennis Holmes Message-Id: <200203140336.TAA02006@star-one.liberator.dyndns.org> Subject: Re: Question about natd ... In-Reply-To: <20020312191511.K84355-100000@blade.elitsat.net> from Alexander at "Mar 12, 2002 7:22: 8 pm" To: amour@blade.elitsat.net (Alexander) Date: Wed, 13 Mar 2002 19:36:13 -0800 (PST) Cc: freebsd-questions@FreeBSD.ORG Reply-To: dholmes@rahul.net X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Look what Alexander wrote: > Hello, > > I'm running FreeBSD 4.3-RELEASE > I'm using it to masquerade my internal network. > The router has 1 real ip address on the external interface > and on the internal there is a local network (192.168.30.0/24) > I have 8 more real-ip addresses and I want to group some of the > internal ip addresses to masquerade to the internet with one of the > real, other internal with other external ... > for example: > 192.168.30.100-120 with X.Y.Z.209 > 192.168.30.240-245 with X.Y.Z.210 > 192.168.30.60-70 with X.Y.Z.212 > > Is this possible with one router ?! > Like some simple natd configuration ? pS [pre-script :-)]: I wrote all of the below before remembering that natd's redirect_address option has a multiple-address form (see the natd man page). Try this first, since it's much easier and cleaner than the idea below. Don't know if it is the only way, but this should be possible using multiple natd's running on different ports. Configure the additional external addresses to use as aliases on your external network interface in /etc/rc.conf. Start up a natd for each group, each running on a different port. You might try doing this by setting natd_program in /etc/rc.conf to be a script like the following, so that the natd's get started at the right time in the startup sequence. #natd startup sample natd -p 8668 -config /etc/natd1.conf -a X.Y.Z.209 natd -p 8669 -config /etc/natd2.conf -a X.Y.Z.210 natd -p 8670 -config /etc/natd3.conf -a X.Y.Z.212 Next is the ugly part. Add rules in /etc/rc.firewall to divert traffic to and from each address to the appropriate natd. If you define your groups so that they look like subnets, you may be able to simplify this greatly. Instead of having a separate rule for each internal address, you'd have a rule for each group with source address specified as 192.168.30.100/28, for example. #rc.firewall sample # group 1 ipfw add divert 8668 ip from 192.168.30.100 to any ipfw add divert 8668 ip from 192.168.30.101 to any ...(continue for all addresses to be mapped to X.Y.X.209) ipfw add divert 8668 ip from any to X.Y.Z.209 # group 2 ipfw add divert 8669 ip from 192.168.30.240 to any ...(continue for all addresses to be mapped to X.Y.X.210) ipfw add divert 8669 ip from any to X.Y.Z.210 # group 3 ipfw add divert 8670 ip from 192.168.30.60 to any ...(continue for all addresses to be mapped to X.Y.X.212) ipfw add divert 8670 ip from any to X.Y.Z.212 +----------------+-------------------+------------------------------------+ | Dennis Holmes | dholmes@rahul.net | "We demand rigidly defined | | San Jose, CA +-------------------+ areas of doubt and uncertainty!" | +------=>{ Meanwhile, as Ford said: "Where are my potato chips?" }<=------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message