Date: Mon, 11 Nov 2002 14:55:30 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= <freefabri@yahoo.it> To: Alexandre Kardanev <Alexandre.Kardanev@ihep.su> Cc: freebsd-isp@freebsd.org Subject: Re: two natd connections Message-ID: <20021111135530.38125.qmail@web20108.mail.yahoo.com> In-Reply-To: <Pine.OSF.4.21.0211111629400.38419-100000@Sirius.ihep.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello and thanks for the reply, I think the best for
us is the solution 4), I've seen the natd man but I'm
steel confused.
Is the -port for redirecting only some ports like
23,80 etc, or I can redirect all traffic to that
network segment?
Or have you any examples?
Thanks
--- Alexandre Kardanev <Alexandre.Kardanev@ihep.su> ha
scritto: >
> Hi!
>
> On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio Ravazzini
> wrote:
>
> > Hello all I'll go straight to the problem
> > Network diagram:
> > ____________
> > ADSL adsl | fbsd |192.168.1.1
> > ISP---router-----|ed0-GW-fxp0|----------LAN
> > 10.0.0.1|___|fxp1___| 192.168.1.x
> > |195.
> > |223.20.100
> > |_______
> > |
> > HDSL(2Mb) Router fbsd DMZ
> > ISP--------cisco----bridge--HUB-------DMZ Servers
> > 195.223.20.1
> >
> > The fbsd gateway is configured as a natd machine
> > /etc/rc.conf:
> > gateway_enable="YES"
> > firewall_enable="YES"
> > firewall_type="OPEN"
> > natd_enable="YES"
> > natd_interface="ed0"
> > natd_flags=""
> >
> > /etc/rc.firewall:
> > case ${firewall_type} in
> > [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
> > case ${natd_enable} in
> > [Yy][Ee][Ss])
> > if [ -n "${natd_interface}" ]; then
> > ${fwcmd} add 50 divert natd all
> > from any to any via ${natd_interface}
> > fi
> > ;;
> > esac
> > esac
> >
> There are many solutions, and simplest are:
> 1) add "ip route 192.168.1.0 255.255.255.0
> 195.223.20.100" on Cisco in
> "config" mode and remove second natd.
> 2) configure dinamic route protocol (RIP, OSPF) on
> Cisco, fbsd and maybe
> on DMZ computers. Remove second natd.
> 3) add static route to LAN on DMZ computers. Remove
> second natd.
> 4) "man natd" about "-port", to use another divert
> socket for second
> natd. Install second natd through
> /usr/local/etc/rc.d/natd.sh
> self-written script.
>
>
> > We have installed the new cable from the gateway
> > (fxp1) to the Dmz Hub in order that if a Client on
> the
> > LAN wants to go to some Dmz servers they don't go
> > trough the slow ADSL line but routed directly
> > to the dmz hub to reach the servers.
> > This also because the HDSL line (2MB) is cost
> > effective.
> > The gateway is a FreeBSD 4.5, and works well to
> route
> > the traffic from the Lan to internet
> > especially for http-traffic.
> > The real problem is that the new link to reach the
> dmz
> > internally (Gw-fxp1--->DMZ Hub) doesn't work at
> all.
> > If I do a netstat -rn on the gateway machine I can
> see
> > the routes to reach the dmz, and if I ping from
> the Gw
> > for example 195.223.20.4 it works well.
> > But from a Lan client It doesn't.
> > To solve the problem We tried to run on the GW:
> > natd -interface fxp1
> > in order to nat all the traffic to the dmz and put
> > another rule (number 53)
> > in rc.firewall like this:
> >
> > --snip---
> > if [ -n "${natd_interface}" ]; then
> > ${fwcmd} add 50 divert natd all from any to any
> via
> > ${natd_interface}
> > ${fwcmd} add 53 divert natd all from any to any
> via
> > fxp1
> > fi
> > ;;
> > --snip---
> >
> >
> > But it doesn't work, when we run the "natd
> -interface
> > fxp1" we receive this error:
> >
> > "Unable to bind to divert socket address already
> in
> > use".
> >
> > Is because there are two instances of natd
> running?
> > but we need two!
> > Is there any way to do what I want? The Lan
> clients
> > should always be able to reach internet
> > via the adsl link and if they want to "talk" to
> the
> > dmz servers they pass directly to them without
> > pass through ADSLlink---Internet---HDSLlink---dmz
> that
> > is cost effective.
> >
> > Any help would be appreciated
> > Many thanks
> >
> >
>
______________________________________________________________________
> > Mio Yahoo!: personalizza Yahoo! come piace a te
> >
>
http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-isp" in the body of the
> message
> >
>
>
> ABK2-RIPE
> -------------------
> "If the proper preparations have been made and
> the necessary precautions
> taken, any staged event is guaranteed success"
> -Ethelred the
> Unready
>
______________________________________________________________________
Mio Yahoo!: personalizza Yahoo! come piace a te
http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021111135530.38125.qmail>