Date: Mon, 11 Nov 2002 16:37:51 +0300 (MSK) From: Alexandre Kardanev <Alexandre.Kardanev@ihep.su> To: =?iso-8859-1?q?Fabrizio=20Ravazzini?= <freefabri@yahoo.it> Cc: freebsd-isp@freebsd.org Subject: Re: two natd connections Message-ID: <Pine.OSF.4.21.0211111629400.38419-100000@Sirius.ihep.su> In-Reply-To: <20021111110705.81900.qmail@web20103.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi!
On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio Ravazzini wrote:
> Hello all I'll go straight to the problem
> Network diagram:
> ____________
> ADSL adsl | fbsd |192.168.1.1
> ISP---router-----|ed0-GW-fxp0|----------LAN
> 10.0.0.1|___|fxp1___| 192.168.1.x
> |195.
> |223.20.100
> |_______
> |
> HDSL(2Mb) Router fbsd DMZ
> ISP--------cisco----bridge--HUB-------DMZ Servers
> 195.223.20.1
>
> The fbsd gateway is configured as a natd machine
> /etc/rc.conf:
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_enable="YES"
> natd_interface="ed0"
> natd_flags=""
>
> /etc/rc.firewall:
> case ${firewall_type} in
> [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add 50 divert natd all
> from any to any via ${natd_interface}
> fi
> ;;
> esac
> esac
>
There are many solutions, and simplest are:
1) add "ip route 192.168.1.0 255.255.255.0 195.223.20.100" on Cisco in
"config" mode and remove second natd.
2) configure dinamic route protocol (RIP, OSPF) on Cisco, fbsd and maybe
on DMZ computers. Remove second natd.
3) add static route to LAN on DMZ computers. Remove second natd.
4) "man natd" about "-port", to use another divert socket for second
natd. Install second natd through /usr/local/etc/rc.d/natd.sh
self-written script.
> We have installed the new cable from the gateway
> (fxp1) to the Dmz Hub in order that if a Client on the
> LAN wants to go to some Dmz servers they don't go
> trough the slow ADSL line but routed directly
> to the dmz hub to reach the servers.
> This also because the HDSL line (2MB) is cost
> effective.
> The gateway is a FreeBSD 4.5, and works well to route
> the traffic from the Lan to internet
> especially for http-traffic.
> The real problem is that the new link to reach the dmz
> internally (Gw-fxp1--->DMZ Hub) doesn't work at all.
> If I do a netstat -rn on the gateway machine I can see
> the routes to reach the dmz, and if I ping from the Gw
> for example 195.223.20.4 it works well.
> But from a Lan client It doesn't.
> To solve the problem We tried to run on the GW:
> natd -interface fxp1
> in order to nat all the traffic to the dmz and put
> another rule (number 53)
> in rc.firewall like this:
>
> --snip---
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
> ${fwcmd} add 53 divert natd all from any to any via
> fxp1
> fi
> ;;
> --snip---
>
>
> But it doesn't work, when we run the "natd -interface
> fxp1" we receive this error:
>
> "Unable to bind to divert socket address already in
> use".
>
> Is because there are two instances of natd running?
> but we need two!
> Is there any way to do what I want? The Lan clients
> should always be able to reach internet
> via the adsl link and if they want to "talk" to the
> dmz servers they pass directly to them without
> pass through ADSLlink---Internet---HDSLlink---dmz that
> is cost effective.
>
> Any help would be appreciated
> Many thanks
>
> ______________________________________________________________________
> Mio Yahoo!: personalizza Yahoo! come piace a te
> http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
ABK2-RIPE
-------------------
"If the proper preparations have been made and the necessary precautions
taken, any staged event is guaranteed success"
-Ethelred the Unready
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.21.0211111629400.38419-100000>