Date: Sat, 30 Sep 2006 15:13:29 +0200 From: Nenad Gavrilovic <neca@boox.co.yu> To: freebsd-ipfw@FreeBSD.org Subject: Re: ip address of the local user is not nat'd to its alias Message-ID: <451E6D79.2070208@boox.co.yu> In-Reply-To: <b218ac810609281850hc08ddebwb0048d196cb6b3fb@mail.gmail.com> References: <b218ac810609281850hc08ddebwb0048d196cb6b3fb@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hanns Hartman wrote: > Hi All, > I have read through a lot of the mailing list archives and have had > no success with the following problem. I have a box that is > functioning as a captive portal. aka think free wifi login at > starbucks or the like. > I have two interfaces fxp0 and fxp1 that point to two different > networks that have staticly assigned ipaddrs. and a third fxp2 which > is the internal network. (BTW I am running freebsd 4.11 on this box.) > I have two instances of natd running on the box one assigned to each > of the two external interfaces with options -snup enabled and each > instance has its own port number. > So the problem is that when I try to send traffic via an ipfw > divert rule out one of the interfaces and I look at an ethereal trace > on the box of the webserver that is the destination I am trying to get > to, the source ip address is not nat'd to the interface's ip address > that points to that network. so when the destination box tries to send > a responce it doesn't know where to send the packets since its trying > to send them to an ip on the internal network. Do any of you have any > idea why the source address of the initial [SYN] would be the > internal network and not the ip address of the interface that is on > that network. I enabled loging on natd and I think its working > because whenever I try to connect to the website I see the natd stats > in the log file increase in number. > thanks in advance for the help > Hanns > > KERNEL_CONFIG > > ... > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > options IPDIVERT > options IPFW2 > > > IPFW_rules > > /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in > /sbin/ipfw add 600 set 2 allow ip from any to any in > > natd starting > /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid > /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > You have to have two rules for natd as folows: (from <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html>) natd_enable="YES" # Enable NATD function natd_interface="rl0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible pif="rl0" # public interface name of NIC # facing the public Internet 1. $cmd 500 divert natd ip from any to any out via $pif 2. $cmd 100 divert natd ip from any to any in via $pif The 1st rule triger when package go OUT via $pif and natd store informatio of package and change source ip from original to $pif. The 2nd rule triger when package get IN via $pif and natd chech informarion from package and if have stored information that he was change source ip he change source ip from $pif to original. You have to have one set rules for natd and another set rules for natd2.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?451E6D79.2070208>