Date: Tue, 25 Jul 2000 17:05:53 +0200 (MEST) From: Sven Anderson <sanders@maelstrom.anderson.de> To: freebsd-net@freebsd.org Subject: no static NAT for router itself? Message-ID: <Pine.LNX.4.21.0007251537170.11491-100000@maelstrom.anderson.de>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I have a problem with my static NAT setup:
isn't it possible, that connections originating from the router itself
to the external ips are also corecctly nated to the internal ip's?
First the setup-details:
stoffel:~ # uname -r
2.2.8-RELEASE
stoffel:~ # ifconfig -a
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 134.76.25.223 netmask 0xffffff00 broadcast 134.76.25.255
inet 134.76.25.224 netmask 0xffffffff broadcast 134.76.25.224
inet 134.76.25.225 netmask 0xffffffff broadcast 134.76.25.225
ether 00:00:b4:98:58:12
de0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 172.27.10.254 netmask 0xffff0000 broadcast 172.27.255.255
ether 00:80:c8:44:14:d7
media: autoselect (100baseTX <full-duplex>) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
stoffel:~ # cat /etc/nat.conf
unregistered_only yes
#deny_incoming yes
use_sockets yes
same_ports yes
#log yes
redirect_address 172.27.7.23 134.76.25.224
redirect_address 172.27.14.38 134.76.25.225
stoffel:~ # ps ax | grep natd
143 ?? Rs 0:26.80 natd -f /etc/nat.conf -n ed1
stoffel:~ # ipfw list
00050 allow ip from any to 127.0.0.1 via lo0
00051 allow ip from any to 172.27.10.254 via lo0
00052 allow ip from any to 134.76.25.223 via lo0
00100 divert 8668 ip from any to any
00150 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 allow ip from any to any
65535 deny ip from any to any
stoffel:~ # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 134.76.25.254 UGSc 6 26210 ed1
127.0.0.1 127.0.0.1 UH 1 6 lo0
134.76.25/24 link#1 UC 0 0
134.76.25.224/32 link#1 UC 0 0
134.76.25.225/32 link#1 UC 0 0
134.76.25.254 0:80:3e:87:9a:e4 UHLW 5 0 ed1 1199
172.16/12 172.27.7.23 UGSc 0 0 de0
172.27 link#2 UC 0 0
[...]
What works:
Connections to the external IPs (134.76.25.224/225) work fine from the
external and internal net and are nated correctly to the corresponding
internal IPs (172.27.x.y), and the maquerading for all the other internal
IPs to 134.76.25.223 also works great.
What does not work:
Packets originating from the router to one of the external aliased IPs,
f.e. 134.76.25.224, are nated correctly to the internal IP 172.27.7.23,
BUT the source address of the packet is not 134.76.25.223 (the router) as
it should be but 134.76.25.224 (the NAT-alias)! If i look at the netmask
of the alias-interface this is actually correct, because the netmask fits
exactly 134.76.25.224, so that the source-address is set to the IP of
the interface, which is the same IP. To prevent this, a netmask that
matches never is needed.
Well, so I assumed, that defining the external IPs as alias-interfaces is
not the right way to do static NAT (btw.: why there is no HOWTO for this,
is static NAT really used so seldom?). So I tried catching the external
IPs with proxy-arp entries and setting a special route for the external
IPs. I tried all routes I could imagine, but with noone the NAT worked for
connections from out of the router to teh external IPs (as described
above). If I set the route to lo0, the destination is nated correctly, but
the source is set to 127.0.0.1, and if I set the route to de0 (the
internal interface), the source-address is correct (172.27.10.254) but the
destination isn't nated, which both of course don't work.
I'm surprised that this behavior isn't mentioned anywhere (ML-Archieves,
FAQs,...), because this should concern anybody who has a combined
router/server which needs to connect the internal hosts by their external
IP (because of DNS-entries for exapmle).
Thanks for any hints!
Sven
- --
_mailto:sven@anderson.de _tel:+49-551-9969285 _tel:+49-179-4939223
_http://tuttle.home.pages.de _irc://IRCNet/tuttle,isnick
"Macht verrueckt, was Euch verrueckt macht!" (Blumfeld)
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
iQCVAwUBOX2s1wc0fSHyIVytAQFU9QP+KGv93n3rCma/o3dN+pW0RfEYq9tlCbap
E9WVy8dq1kosI8hqSZikaHUe+1tzuqz1etasOXh0g5bAdu5fdPD0QpDbLEBGNKaU
cHpDoX7gTCNiYMJ1SJk7dR+sg9DcbvZ0mhJ6I0/jOsxOtltqMJn2dkkX8A7znfF/
lnZ1vlXm6CM=
=xdjb
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0007251537170.11491-100000>