From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 09:32:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5000D16A4CE for ; Tue, 24 Aug 2004 09:32:30 +0000 (GMT) Received: from mk-smarthost-1.mail.uk.tiscali.com (mk-smarthost-1.mail.uk.tiscali.com [212.74.114.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C8E843D2F for ; Tue, 24 Aug 2004 09:32:29 +0000 (GMT) (envelope-from fbsd-ipfw@0x10.com) Received: from mk-webmail-1.b2b.uk.tiscali.com ([212.74.112.91]:4628) by mk-smarthost-1.mail.uk.tiscali.com with esmtp (Exim 4.30) id 1BzXfH-0007Pj-Ui for freebsd-ipfw@freebsd.org; Tue, 24 Aug 2004 10:32:27 +0100 Received: from exim by mk-webmail-1.b2b.uk.tiscali.com with local (Exim 4.24) id 1BzXfH-0003AQ-9n for freebsd-ipfw@freebsd.org; Tue, 24 Aug 2004 10:32:27 +0100 From: fbsd-ipfw@0x10.com To: freebsd-ipfw@freebsd.org Date: Tue, 24 Aug 2004 10:32:27 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: Subject: natd and ipfw problems...hope this is the right place=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 09:32:30 -0000 Diagram: .oO( Internet )Oo. || || [----DSL------] [ adsl router ] <- No Nat [-------------] | | | | | | B A [--------WL-------] [---BSD---] NAT -> [ wireless router ] [ bsd box ] [-----------------] [---------] X | | | | | | | |___________| Y [---------WEB--------] [ web server + media ] [--------------------] IP Addresses: A: External IP 82.*.*.A B: External IP 82.*.*.B X: Internal IP 192.168.1.101 Y: Internal IP 192.168.1.100 ### External Connectivity ### WEB -> WL -> (DSL) -> Internet [IP B] BSD -> (DSL) -> Internet [IP A] Require: Connection to A:80 forwarded to Y:80 ### Theoretical Solution ### Packet - [sourceip:port, destip:port] Packets IN [any:any, A:80] fwd/nat [A:80, X:80] [A:80, X:80] fwd/nat [X:80, Y:80] Packets OUT [Y:80, X:80] fwd/nat [X:80, A:80] [X:80, A:80] fwd/nat [A:80, any:any] ### Description ### Hiya, As you can hopefully see, i'm trying to port forward a connection to an external ip on my BSD be box to the internal ip address of a machine that sits behind a wireless router. Please advise as to whether my "Theoretical Solution" is indeed correct for this purpose. I've been playing around with NATD and IPFW for a while now, and just cannot get it to respond. Assuming my logic is correct, my problem seems to be translating it in to the require configs/rules for natd and ipfw. In an attempt to simplify the problem, i have set apache to run on all the IPs of the BSD box. A telnet to 82.*.*.A 80 gets an index file showing "default", whereas a telnet to 192.168.1.101 80 gets an index file showing "192.168.1.101", the obvious trick being to get a telnet to 82.*.*.A to display "192.168.1.101" As this is failing badly too, i assume i am doing some really wrong. As you will see, i have a /29 external subnet but we're only really interested in 82.*.*.A rl0 -> external NIC going to ADSL Router xl0 -> internal NIC going to Wireless Router IP Connectivity between all "hosts" is fine Details are as follows: Freebsd 4.10 stable ----- rc.conf ----- defaultrouter="82.*.*.*" hostname="XXX" ifconfig_rl0="inet 82.*.*.* netmask 255.255.255.248" ifconfig_rl0_alias0="inet 82.*.*.A netmask 255.255.255.255" ifconfig_rl0_alias1="inet 82.*.*.* netmask 255.255.255.255" ifconfig_rl0_alias2="inet alias 82.*.*.* netmask 255.255.255.255" ifconfig_xl0="inet 192.168.1.101 netmask 255.255.255.0" ifconfig_xl0_alias0="inet 192.168.1.111 netmask 255.255.255.255" gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" portmap_enable="YES" firewall_enable="YES" firewall_type="/etc/ipfw.rules/default" firewall_quiet="NO" ----- natd.conf ----- interface rl0 same_ports yes redirect_port tcp 192.168.1.101:80 80 ----- KERNAL ----- options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFILTER options IPFILTER_LOG options IPDIVERT Cheers for the help!!!