From owner-freebsd-questions@FreeBSD.ORG Mon Apr 3 10:59:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43FF316A400 for ; Mon, 3 Apr 2006 10:59:26 +0000 (UTC) (envelope-from pjah@hicom.net) Received: from ns1.hicom.net (ns1.hicom.net [208.245.180.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1C9E43D48 for ; Mon, 3 Apr 2006 10:59:25 +0000 (GMT) (envelope-from pjah@hicom.net) Received: from [127.0.0.1] (pool-68-239-241-137.nwrk.east.verizon.net [68.239.241.137]) (authenticated bits=0) by ns1.hicom.net (8.13.6/8.13.6) with ESMTP id k33AxMks067075 for ; Mon, 3 Apr 2006 06:59:23 -0400 (EDT) Message-ID: <44310008.7010100@hicom.net> Date: Mon, 03 Apr 2006 06:59:20 -0400 From: Juergen Heberling User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <442EEABE.5000803@hicom.net> <442F2B69.40503@locolomo.org> <442F3268.30409@hicom.net> <442FA797.6060307@locolomo.org> In-Reply-To: <442FA797.6060307@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Relayed-By: GPGrelay Version 0.959 (Win32) Subject: Re: ipnat syntax error? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Apr 2006 10:59:26 -0000 Erik Nørgaard wrote: >> .. snip .. > > Well, my suggestion is not to exhaust your precious /28 address space > right away. And don't make your life unnecessary difficult, why choose > the addreses in the middle for bimap? > > > Rather than using all your external ip's right away I would save some > for later expansion, and reserve one for debugging. You may need to > connect a laptop on the external net to figure out what's going on. You > could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and > future expansion (not mapped), x.x.x.12/30 map for lan clients. > > If you stick to cidr you can also write your filter rules in cidr making > it far easier to read an maintain. > > For the mapping, and bimapping consider this: > > The /24 network you want to map, it contains at most 254 hosts. If you > map that network to a single ip, then each host can establish at least > 256 simultaneous connections. My experience is that this is far mor than > needed in most normal operating environments. I'd suggest using the same > ip as on the firewall external interface. > > If the purpose of binatting is to make one service available, http say, > then you may consider using rdr. IIRC you can also use rdr to round > robin load balancing incoming connections. > > That way you can have one host serving http and another serving smtp on > the same external ip. The only reason to use different ip's is if you're > hosting a number of https servers, each need a different ip. > > There's no point in bimapping all ports on a external ip to one single > internal ip if most of them are blocked by the filter. > > Cheers, Erik Erik, Thank you again for your advice. Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with "just" one "map" with portmaps. Please note that the "-" for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. Thanks again. Juergen