From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 25 10:49:40 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72E7C37B401 for ; Fri, 25 Jul 2003 10:49:40 -0700 (PDT) Received: from pgh.nepinc.com (pgh.nepinc.com [66.207.129.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97C2443F3F for ; Fri, 25 Jul 2003 10:49:39 -0700 (PDT) (envelope-from durham@jcdurham.com) Received: from jimslaptop.pitt.nepinc.com (jimslaptop.pitt.nepinc.com [192.100.100.107]) by pgh.nepinc.com (8.11.4/8.11.3) with ESMTP id h6PHneu90692 for ; Fri, 25 Jul 2003 13:49:40 -0400 (EDT) (envelope-from durham@jcdurham.com) From: Jim Durham Organization: JC Durham Consulting To: freebsd-hackers@freebsd.org Date: Fri, 25 Jul 2003 13:49:38 -0400 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307251349.38413.durham@jcdurham.com> Subject: NATD and Address Redirection X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: durham@jcdurham.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2003 17:49:40 -0000 I'm wondering about the characteristics of the redirect_address option of natd. I tried this on -questions, but no one replied, so I thought I'd ask on here, hoping to find folks more familiar with kernel mechanisms here. Consider a FreeBSD NAT "gateway" between a public IP on one network interface and a private "LAN" address on the 2nd interface serving a group of windows machines on the LAN with private IPS. We wanted to allow outside access to one of the LAN machines. According to the documentation, as I read it, redirect_address sets up a "static NAT" which is symmetrical between a public address on the outside interface of a FreeBSD machine and a machine on a private IP attached to the "inside" or "LAN" network interface. The procedure we used was to alias a 2nd public address to the outside interface and use a redirect_address statement in natd.conf to redirect connections to the new public IP to the inside machine. This doesn't seem to be symmetrical. You can ping the inside machine from outside using the new address and if you connect outwards from the inside machine, the outside world sees the connection as coming form the new public IP. However, a test running VNC server on the inside machine and connecting from outside does not work. You can connect to the inside machine and it sees mouse and keyboard, but the virtual screen does not work. It seems that the connection works properly redirecting inward but not outward. VNC disconnects in about a minute. If you connect to the inside machine using the -via option of VNC to build an encrypted tunnel to the FreeBSD gateway and then connect to the inside machine directly, it works properly, so it doesn't appear to be a VNC problem. I'm questioning whether the connection is really symmetrical? -Jim