From owner-freebsd-net@FreeBSD.ORG Tue May 27 00:22:34 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E06137B401; Tue, 27 May 2003 00:22:34 -0700 (PDT) Received: from rambo.401.cx (rambo.401.cx [80.65.205.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 579C143F85; Tue, 27 May 2003 00:22:33 -0700 (PDT) (envelope-from listsub@401.cx) Received: from 401.cx (132.dairy.twenty4help.se [80.65.195.132]) by rambo.401.cx (8.12.9/8.12.7) with ESMTP id h4R7MHMI014721; Tue, 27 May 2003 09:22:18 +0200 (CEST) (envelope-from listsub@401.cx) Message-ID: <3ED31223.9070003@401.cx> Date: Tue, 27 May 2003 09:22:11 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Barney Wolff References: <1091.192.168.1.39.1053704739.squirrel@intranet.el.com.br> <20030523164902.GA36660@pit.databus.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-net@freebsd.org cc: "Paiva, Gilson de" cc: freebsd-questions@freebsd.org Subject: Re: 3 NICs NAT setup, almost there ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 07:22:34 -0000 Barney Wolff wrote: > On Fri, May 23, 2003 at 12:45:39PM -0300, Paiva, Gilson de wrote: > >> Hi, >> >> Take this scenario: >> >> >> xxx/26 yyy/26 internet --- ep0 freebsd rl0 --- >> wired clients ep1 | private ip ( 192.168.1.0/24 ) | wireless >> >> I have to nat packets with destination to an ip xxx/26 to an ip >> at private ip net. So far so good with "common" redirect_address >> nat configuration. The problem happens with traffic between net >> yyy/26 and the private network ( and vice-versa ) because packets >> get routed to destination before they get translated by natd. >> What´s the secret ? I tried everything I known and learned from >> reading but no setup could work out. > > > I'd use ipfw and natd, and run two instances of natd listening on > different divert sockets. Rules in ipfw can divert the packets to > the right natd depending on where the packets are coming from or > going to. I have been running something similar to the above for well over a year without problems. The tricky thing can be to get you firewall rules right. The machine in question has 3 nic's: xl0: y.y.108.201 netmask 0xffffff00 xl1: 192.168.101.20 netmask 0xfffffc00 xl2: 192.168.200.1 netmask 0xffffff00 The relevant section of my firewall rules looks like this: 00070 divert 8669 ip from any to 192.168.0.0/16 via xl1 00080 divert 8669 ip from any to x.x.184.234 via xl1 00090 divert 8669 ip from any to x.x.89.40 via xl1 00100 divert 8668 ip from any to any via xl0 The ip addresses starting with x.x are servers that we need to go a special route to access. Ignore them if you wish, I only included them as an example of how to write your rules. Besides the above rules, all you have to do is start two instances of natd, one on interface xl1 listening on 8669 and one on xl0 listening on 8668. I also had to add a route on the router in the 192.168.100.0/22 network to make it send traffic to 192.168.200.1/24 back to the right 192.168.101.20 instead of throwing it on default route. The possibilities are almost endless, you can run as many natd's as you need and just divert traffic based on destination, origin, port, protocoll or whatever you see fit. Hope this helps -- R