From owner-freebsd-isp Mon Nov 11 5:55:35 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC89B37B401 for ; Mon, 11 Nov 2002 05:55:31 -0800 (PST) Received: from web20108.mail.yahoo.com (web20108.mail.yahoo.com [216.136.226.45]) by mx1.FreeBSD.org (Postfix) with SMTP id 01ABD43E42 for ; Mon, 11 Nov 2002 05:55:31 -0800 (PST) (envelope-from freefabri@yahoo.it) Message-ID: <20021111135530.38125.qmail@web20108.mail.yahoo.com> Received: from [193.227.212.131] by web20108.mail.yahoo.com via HTTP; Mon, 11 Nov 2002 14:55:30 CET Date: Mon, 11 Nov 2002 14:55:30 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= Subject: Re: two natd connections To: Alexandre Kardanev Cc: freebsd-isp@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello and thanks for the reply, I think the best for us is the solution 4), I've seen the natd man but I'm steel confused. Is the -port for redirecting only some ports like 23,80 etc, or I can redirect all traffic to that network segment? Or have you any examples? Thanks --- Alexandre Kardanev ha scritto: > > Hi! > > On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio Ravazzini > wrote: > > > Hello all I'll go straight to the problem > > Network diagram: > > ____________ > > ADSL adsl | fbsd |192.168.1.1 > > ISP---router-----|ed0-GW-fxp0|----------LAN > > 10.0.0.1|___|fxp1___| 192.168.1.x > > |195. > > |223.20.100 > > |_______ > > | > > HDSL(2Mb) Router fbsd DMZ > > ISP--------cisco----bridge--HUB-------DMZ Servers > > 195.223.20.1 > > > > The fbsd gateway is configured as a natd machine > > /etc/rc.conf: > > gateway_enable="YES" > > firewall_enable="YES" > > firewall_type="OPEN" > > natd_enable="YES" > > natd_interface="ed0" > > natd_flags="" > > > > /etc/rc.firewall: > > case ${firewall_type} in > > [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) > > case ${natd_enable} in > > [Yy][Ee][Ss]) > > if [ -n "${natd_interface}" ]; then > > ${fwcmd} add 50 divert natd all > > from any to any via ${natd_interface} > > fi > > ;; > > esac > > esac > > > There are many solutions, and simplest are: > 1) add "ip route 192.168.1.0 255.255.255.0 > 195.223.20.100" on Cisco in > "config" mode and remove second natd. > 2) configure dinamic route protocol (RIP, OSPF) on > Cisco, fbsd and maybe > on DMZ computers. Remove second natd. > 3) add static route to LAN on DMZ computers. Remove > second natd. > 4) "man natd" about "-port", to use another divert > socket for second > natd. Install second natd through > /usr/local/etc/rc.d/natd.sh > self-written script. > > > > We have installed the new cable from the gateway > > (fxp1) to the Dmz Hub in order that if a Client on > the > > LAN wants to go to some Dmz servers they don't go > > trough the slow ADSL line but routed directly > > to the dmz hub to reach the servers. > > This also because the HDSL line (2MB) is cost > > effective. > > The gateway is a FreeBSD 4.5, and works well to > route > > the traffic from the Lan to internet > > especially for http-traffic. > > The real problem is that the new link to reach the > dmz > > internally (Gw-fxp1--->DMZ Hub) doesn't work at > all. > > If I do a netstat -rn on the gateway machine I can > see > > the routes to reach the dmz, and if I ping from > the Gw > > for example 195.223.20.4 it works well. > > But from a Lan client It doesn't. > > To solve the problem We tried to run on the GW: > > natd -interface fxp1 > > in order to nat all the traffic to the dmz and put > > another rule (number 53) > > in rc.firewall like this: > > > > --snip--- > > if [ -n "${natd_interface}" ]; then > > ${fwcmd} add 50 divert natd all from any to any > via > > ${natd_interface} > > ${fwcmd} add 53 divert natd all from any to any > via > > fxp1 > > fi > > ;; > > --snip--- > > > > > > But it doesn't work, when we run the "natd > -interface > > fxp1" we receive this error: > > > > "Unable to bind to divert socket address already > in > > use". > > > > Is because there are two instances of natd > running? > > but we need two! > > Is there any way to do what I want? The Lan > clients > > should always be able to reach internet > > via the adsl link and if they want to "talk" to > the > > dmz servers they pass directly to them without > > pass through ADSLlink---Internet---HDSLlink---dmz > that > > is cost effective. > > > > Any help would be appreciated > > Many thanks > > > > > ______________________________________________________________________ > > Mio Yahoo!: personalizza Yahoo! come piace a te > > > http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the > message > > > > > ABK2-RIPE > ------------------- > "If the proper preparations have been made and > the necessary precautions > taken, any staged event is guaranteed success" > -Ethelred the > Unready > ______________________________________________________________________ Mio Yahoo!: personalizza Yahoo! come piace a te http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message