Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Feb 2008 03:14:23 +0000
From:      Matthew Herzog <matthew.herzog@gmail.com>
To:        FreeBSD <freebsd-stable@freebsd.org>
Subject:   Three interface NAT box
Message-ID:  <47B2608F.1000208@gmail.com>
next in thread | raw e-mail | index | archive | help 

Hi Again.

I have a FreeBSD 6.3 box that runs IPNAT and IPFILTER.

xl0 is the external NIC and is a dhcp client on a cable network. 
Naturally, it does IPFILTER.

fxp0 is the internal NIC that hands out dhcp leases to clients inside 
the NAT net. It has the address 192.168.0.1.
I also run a caching named on this IPF/IPNAT gateway box. This setup 
has worked great for years.

Recently I added a third NIC ( em0 ) to this gateway box and gave it a 
static IP 192.168.1.1. I connected em0 to a server via xover cable. I 
assigned the server on the other end of the xover cable a static address 
of 192.168.1.5. I reconfigured BIND to listen on em0 and fxp0 both.

Connectivity from 192.168.1.1 <---> 192.168.1.5 works great.  Both 
machines can talk to each other. All that's missing now is for 
192.168.1.5 to be able to reach the Internet through 192.168.1.1.  The 
server with 192.168.1.5 needs to be able to download updates, patches, 
etc. I can resolve Internet hosts from 192.168.1.5 but that's all. No 
other protocols seem to reach the www.

I am thinking it could be an IPNAT issue or a routing issue; perhaps 
both. Here's my /etc/ipnat.conf file:

map xl0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map xl0 192.168.0.0/24 -> 0.0.0.0/32

Here is netstat -r  on the gateway machine:

default            L100.VFTTP-18.BSTN UGS         0  6747766    xl0
71.173.55/24       link#1             UC          0        0    xl0
L100.VSTTP-18.BSTN 00:90:1a:a0:3d:c4  UHLW        2       46    xl0    653
pool-71-173-55-4.b 00:50:da:11:95:97  UHLW        1        0    lo0
localhost          localhost          UH          0        0    lo0
192.168.0          link#3             UC          0        0   fxp0
192.168.0.38       00:16:01:70:38:94  UHLW        1   420937   fxp0    605
192.168.0.39       00:17:f2:49:d5:23  UHLW        1     6430   fxp0    909
192.168.0.53       00:11:24:21:49:36  UHLW        1    42014   fxp0    391
192.168.1          link#2             UC          0        0    em0

Traffic, except for dns queries, is not being passed out from em0 to xl0.

Here is netstat -rn on the 192.168.01.5 host:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0


Here are the first few lines of my ipf.conf file. There are no other 
rules for em0 anywhere in the file.

pass in quick on fxp0 all
pass out quick on fxp0 all
pass in quick on em0 all
pass out quick on em0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on xl0 all keep state

I am thinking of adding these lines to /etc/rc.conf :

static_routes="emzero"
route_emzero="-net 192.168.1.0/24 192.168.0.1"

Can anyone tell me if that might work before I potentially hose my network? 

Thanks.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47B2608F.1000208>