Date: Tue, 12 Nov 2002 16:27:26 +0100 (CET) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= <freefabri@yahoo.it> To: Alexandre Kardanev <Alexandre.Kardanev@ihep.su> Cc: freebsd-isp@freebsd.org Subject: Re: two natd connections Message-ID: <20021112152726.15543.qmail@web20102.mail.yahoo.com> In-Reply-To: <Pine.OSF.4.21.0211111826410.39747-100000@Sirius.ihep.su>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Thanks, we have managed to run the second copy
of natd:
natd -interface fxp1 -port 8669
without errors but if from a client we try to ping the
dmz, there is still not any route.
Also the traceroute dies on the gateway.
From the gateway to the dmz there is the route because
we can ping from it.
Any other help? perhaps do we have to enable
IPFIREWALL_FORWARDING in the kernel and add some ipfw
fwd rules in the /etc/rc.firewall?
Or any other tricks?
--- Alexandre Kardanev <Alexandre.Kardanev@ihep.su> ha
scritto: > On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio
Ravazzini
> wrote:
>
> > Hello I've added that two lines in rc.firewall as
> you
> > told:
> > ipfw 53 add divert 8669 ip from 192.168.1.0/24 to
> > 195.223.20.100 via fxp1
> > ipfw 55 add divert 8669 ip from 195.223.20.100 to
> > any via fxp1
> >
> > The 195.223.20.100 is the fxp1, but now if we
> start
> > the natd as:
> > natd -i fxp1 -p 8669
> >
> Sorry... Remembering tcpdump, I just shortened
> "-interface" to "-i" not
> to "-n"
> Right command - natd -n fxp1 -p 8669
> or natd -interface fxp1 -port 8669
>
>
> > we have the error:
> > natd:unknown service fxp1 / divert
> >
> > Any other help/ideas?
> >
> >
> >
> > --- Alexandre Kardanev
> <Alexandre.Kardanev@ihep.su>
> > ha scritto: > On Mon, 11 Nov 2002, Alexandre
> Kardanev
> > wrote:
> > >
> > > > Hi!
> > > > On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio
> > > Ravazzini wrote:
> > > >
> > > > > Hello and thanks for the reply, I think the
> best
> > > for
> > > > > us is the solution 4), I've seen the natd
> man
> > > but I'm
> > > > > steel confused.
> > > > > Is the -port for redirecting only some ports
> > > like
> > > > > 23,80 etc, or I can redirect all traffic to
> that
> > > > > network segment?
> > > >
> > > > I have no examples but you can use something
> like
> > > this:
> > > >
> > > > natd -i fxp1 -p 8669
> > > > (By default, natd connects to 8668/devert
> socket,
> > > its already busy so we
> > > > have to change it for something else)
> > > >
> > > > ipfw 53 add divert 8669 ip from 192.168.1.0/24
> to
> > > 195.223.20.0/24 via fxp1
> > >
> > > Sorry, the next string have error so it should
> be
> > > read as
> > > ipfw 53 add diver 8669 ip from 195.223.20.0/24
> to
> > > any via fxp1
> > >
> > > > ipfw 53 add divert 8669 ip from
> 195.223.20.0/24 to
> > > 192.168.1.0/24 via fxp1
> > >
> >
>
-----------------------------------------------------^^^^^^^^^^^
> > > > (Divert all packets between LAN and DMZ)
> > > >
> > > > > Or have you any examples?
> > > > > Thanks
> > > > > --- Alexandre Kardanev
> > > <Alexandre.Kardanev@ihep.su> ha
> > > > > scritto: >
> > > > > > Hi!
> > > > > >
> > > > > > On Mon, 11 Nov 2002, [iso-8859-1] Fabrizio
> > > Ravazzini
> > > > > > wrote:
> > > > > >
> > > > > > > Hello all I'll go straight to the
> problem
> > > > > > > Network diagram:
> > > > > > > ____________
> > > > > > > ADSL adsl | fbsd
> |192.168.1.1
> > > > > > >
> ISP---router-----|ed0-GW-fxp0|----------LAN
> > > > > > > 10.0.0.1|___|fxp1___|
> 192.168.1.x
> > > > > > > |195.
> > > > > > > |223.20.100
> > > > > > > |_______
> > > > > > > |
> > > > > > > HDSL(2Mb) Router fbsd DMZ
> > > > > > >
> ISP--------cisco----bridge--HUB-------DMZ
> > > Servers
> > > > > > > 195.223.20.1
> > > > > > >
> > > > > > > The fbsd gateway is configured as a natd
> > > machine
> > > > > > > /etc/rc.conf:
> > > > > > > gateway_enable="YES"
> > > > > > > firewall_enable="YES"
> > > > > > > firewall_type="OPEN"
> > > > > > > natd_enable="YES"
> > > > > > > natd_interface="ed0"
> > > > > > > natd_flags=""
> > > > > > >
> > > > > > > /etc/rc.firewall:
> > > > > > > case ${firewall_type} in
> > > > > > >
> [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
> > > > > > > case ${natd_enable} in
> > > > > > > [Yy][Ee][Ss])
> > > > > > > if [ -n "${natd_interface}" ]; then
> > > > > > > ${fwcmd} add 50 divert natd all
>
> > >
> > > > > > > from any to any via ${natd_interface}
> > > > > > > fi
> > > > > > > ;;
> > > > > > > esac
> > > > > > > esac
> > > > > > >
> > > > > > There are many solutions, and simplest
> are:
> > > > > > 1) add "ip route 192.168.1.0 255.255.255.0
> > > > > > 195.223.20.100" on Cisco in
> > > > > > "config" mode and remove second natd.
> > > > > > 2) configure dinamic route protocol (RIP,
> > > OSPF) on
> > > > > > Cisco, fbsd and maybe
> > > > > > on DMZ computers. Remove second natd.
> > > > > > 3) add static route to LAN on DMZ
> computers.
> > > Remove
> > > > > > second natd.
> > > > > > 4) "man natd" about "-port", to use
> another
> > > divert
> > > > > > socket for second
> > > > > > natd. Install second natd through
> > > > > > /usr/local/etc/rc.d/natd.sh
> > > > > > self-written script.
> > > > > >
> > > > > >
> > > > > > > We have installed the new cable from the
> > > gateway
> > > > > > > (fxp1) to the Dmz Hub in order that if a
> > > Client on
> > > > > > the
> > > > > > > LAN wants to go to some Dmz servers they
> > > don't go
> > > > > > > trough the slow ADSL line but routed
> > > directly
> > > > > > > to the dmz hub to reach the servers.
> > > > > > > This also because the HDSL line (2MB) is
> > > cost
> > > > > > > effective.
> > > > > > > The gateway is a FreeBSD 4.5, and works
> well
> > > to
> > > > > > route
> > > > > > > the traffic from the Lan to internet
> > > > > > > especially for http-traffic.
> > > > > > > The real problem is that the new link to
> > > reach the
> > > > > > dmz
> > > > > > > internally (Gw-fxp1--->DMZ Hub) doesn't
> work
> > > at
> > > > > > all.
> > > > > > > If I do a netstat -rn on the gateway
> machine
> > > I can
> > > > > > see
> > > > > > > the routes to reach the dmz, and if I
> ping
> > > from
> > > > > > the Gw
> > > > > > > for example 195.223.20.4 it works well.
> > > > > > > But from a Lan client It doesn't.
> > > > > > > To solve the problem We tried to run on
> the
> > > GW:
> > > > > > > natd -interface fxp1
>
=== message truncated ===
______________________________________________________________________
Per te Blu American Express è gratis!
http://it.yahoo.com/mail_it/foot/?http://www.americanexpress.it/land_yahoo
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021112152726.15543.qmail>