From owner-freebsd-questions Mon Oct 2 16:25:25 2000 Delivered-To: freebsd-questions@freebsd.org Received: from gloworm.Stanford.EDU (gloworm.Stanford.EDU [171.64.99.46]) by hub.freebsd.org (Postfix) with ESMTP id 99FBB37B502 for ; Mon, 2 Oct 2000 16:25:21 -0700 (PDT) Received: from localhost (yergeau@localhost) by gloworm.Stanford.EDU (8.9.3/8.9.3) with ESMTP id QAA18676; Mon, 2 Oct 2000 16:25:19 -0700 (PDT) Message-Id: <200010022325.QAA18676@gloworm.Stanford.EDU> To: freebsd-questions@freebsd.org Cc: yergeau@gloworm.Stanford.EDU Subject: NAT, firewall, public and private subnets Date: Mon, 02 Oct 2000 16:25:19 -0700 From: Dan Yergeau Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've got a 5 static-IP DSL connection, and I'm wanting to set up a freebsd-4.1 box with 2 NICs to be the firewall for the public addresses and a NAT box/firewall for both a private net. For simplicity in discussion, let's call the public address space P.U.B.* (with netmask 255.255.255.248), the private IP address space p.v.t.* (with netmask 255.255.255.0; in this case,p=192 and v=168), and the two network interfaces pvt0 and pub1. The 5 public IP's are P.U.B.19[45678] I've tried 1) DSL <==> pub1/freebsd/pvt0 <==> switch <==> both public and private pub1 is P.U.B.194 pvt0 is p.v.t.99 (used as the gateway for the public and private machines) natd -n pub1 private address machines worked fine public address machines couldn't find the gateway I suppose I could add a third NIC and a switch to separate the firewalled public and private nets, but it isn't clear how to configure the freebsd box to NAT one interface, but not the other. I also tried to add an public IP alias on pvt0 (i.e. P.U.B.195 and to use that as the gateway for the public IP machines, but wasn't successful in getting the internal public IP machines routed to the internet). 2) DSL <==> pub1/freebsd/pvt0 <==> switch <==> all machines with private IP pub1 is P.U.B.194 with aliases of P.U.B.19[5678] pvt0 is p.v.t.99 (used as the gateway for the public and private machines) natd -n pub1 -f /etc/natd.conf /etc/natd.conf had redirect_address entries for the 4 remaining public IP's, mapping each of p.v.t.19[5678] to the equivalent P.U.B.19[5678] The only glitch here appeared to be that the freebsd box and private IP machines couldn't get through to the public IP of the 4 remaining public IP's. I suppose that I could do an internal DNS server to remap hostnames to the private IP addresses, but that seem like a hack. I also didn't test tapping into AFS/kerberos, which doesn't get along well with translated IP addresses. 3) A "no firewall" config DSL <==> switch <==> {pvt0,pub1}/freebsd & other public/private machines I'd really need to get another switch for this to work correctly (lots of "arp: P.U.B.19[45678] is on pub1, but got reply from on pvt0"; and private net DHCP is flakey). So, it would really optimally/correctly be <==> other public IP machines / DSL <==> switch <==> pub1/freebsd/pvt0 <==> switch#2 <==> private IP machines Unfortunately, this setup doesn't stick a firewall between the other public machines and the internet. Any suggestions or pointers to resources that I should look at. The discussion of routes and gateways in the handbook and manpages don't seem to address the whole picture. Thanks, Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message