From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 30 13:13:30 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCAF116A417 for ; Sat, 30 Sep 2006 13:13:29 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 2452D43D58 for ; Sat, 30 Sep 2006 13:13:27 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 27789 invoked by uid 0); 30 Sep 2006 12:52:12 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 30 Sep 2006 12:52:12 -0000 Message-ID: <451E6D79.2070208@boox.co.yu> Date: Sat, 30 Sep 2006 15:13:29 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: ip address of the local user is not nat'd to its alias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2006 13:13:30 -0000 Hanns Hartman wrote: > Hi All, > I have read through a lot of the mailing list archives and have had > no success with the following problem. I have a box that is > functioning as a captive portal. aka think free wifi login at > starbucks or the like. > I have two interfaces fxp0 and fxp1 that point to two different > networks that have staticly assigned ipaddrs. and a third fxp2 which > is the internal network. (BTW I am running freebsd 4.11 on this box.) > I have two instances of natd running on the box one assigned to each > of the two external interfaces with options -snup enabled and each > instance has its own port number. > So the problem is that when I try to send traffic via an ipfw > divert rule out one of the interfaces and I look at an ethereal trace > on the box of the webserver that is the destination I am trying to get > to, the source ip address is not nat'd to the interface's ip address > that points to that network. so when the destination box tries to send > a responce it doesn't know where to send the packets since its trying > to send them to an ip on the internal network. Do any of you have any > idea why the source address of the initial [SYN] would be the > internal network and not the ip address of the interface that is on > that network. I enabled loging on natd and I think its working > because whenever I try to connect to the website I see the natd stats > in the log file increase in number. > thanks in advance for the help > Hanns > > KERNEL_CONFIG > > ... > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > options IPDIVERT > options IPFW2 > > > IPFW_rules > > /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in > /sbin/ipfw add 600 set 2 allow ip from any to any in > > natd starting > /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid > /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > You have to have two rules for natd as folows: (from ) natd_enable="YES" # Enable NATD function natd_interface="rl0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible pif="rl0" # public interface name of NIC # facing the public Internet 1. $cmd 500 divert natd ip from any to any out via $pif 2. $cmd 100 divert natd ip from any to any in via $pif The 1st rule triger when package go OUT via $pif and natd store informatio of package and change source ip from original to $pif. The 2nd rule triger when package get IN via $pif and natd chech informarion from package and if have stored information that he was change source ip he change source ip from $pif to original. You have to have one set rules for natd and another set rules for natd2.