From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 25 22:05:19 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A7237B401 for ; Fri, 25 Jul 2003 22:05:19 -0700 (PDT) Received: from pgh.nepinc.com (pgh.nepinc.com [66.207.129.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 660DE43F85 for ; Fri, 25 Jul 2003 22:05:18 -0700 (PDT) (envelope-from durham@jcdurham.com) Received: from jimslaptop.home.jcdurham.com (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by pgh.nepinc.com (8.11.4/8.11.3) with ESMTP id h6Q55Cu31882; Sat, 26 Jul 2003 01:05:13 -0400 (EDT) (envelope-from durham@jcdurham.com) From: Jim Durham Organization: JC Durham Consulting To: Clement Laforet Date: Sat, 26 Jul 2003 01:05:05 -0400 User-Agent: KMail/1.5.2 References: <200307251349.38413.durham@jcdurham.com> <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> In-Reply-To: <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307260105.06263.durham@jcdurham.com> cc: freebsd-hackers@freebsd.org Subject: Re: NATD and Address Redirection X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: durham@jcdurham.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 05:05:19 -0000 On Friday 25 July 2003 08:22 pm, Clement Laforet wrote: > On Fri, 25 Jul 2003 13:49:38 -0400 > Jim Durham wrote: > > Hi, > > > I'm wondering about the characteristics of the redirect_address > > option > > > > of natd. I tried this on -questions, but no one replied, so I > > thought I'd ask on here, hoping to find folks more familiar with > > kernel mechanisms here. > > Except for DIVERT, there isn't any kernel mechanisms for address > translatation. > > > Consider a FreeBSD NAT "gateway" between a public IP on one > > network interface and a private "LAN" address on the 2nd > > interface serving a group of windows machines on the LAN with > > private IPS. > > > > We wanted to allow outside access to one of the LAN machines. > > > > According to the documentation, as I read it, redirect_address > > sets up > > > > a "static NAT" which is symmetrical between a public address on > > the outside interface of a FreeBSD machine and a machine on a > > private IP attached to the "inside" or "LAN" network interface. > > > > The procedure we used was to alias a 2nd public address to the > > outside > > > > interface and use a redirect_address statement in natd.conf to > > redirect connections to the new public IP to the inside machine. > > > > This doesn't seem to be symmetrical. > > > > > I'm questioning whether the connection is really symmetrical? > > for incoming traffic, you must use -redirect_address, but for > outgoing you have to set -alias_address. First, Thanks much for your reply.... I can add alias_address, but please note that the inside machine already seems to be getting aliased, at least in some cases. If you connect to one of those "what's my IP" sites using tne browser on the inside machine , you get the correct answer back. IE; you get the 2nd public IP instead of the "main" public IP. > If you want to use a specific public IP to map incoming AND > outgoing packets, you need to run 2 natd, using ipfw matching. Can you point me to some documentation on how this is set up? Google returns nothing useful. -Jim