From owner-freebsd-net@FreeBSD.ORG Sun Oct 26 05:02:01 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE31F16A4B3 for ; Sun, 26 Oct 2003 05:02:01 -0800 (PST) Received: from imhotep.yuckfou.org (cust.89.117.adsl.cistron.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D80E43FDD for ; Sun, 26 Oct 2003 05:01:59 -0800 (PST) (envelope-from nivo+sender+8eb026@yuckfou.org) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 28914C3 for ; Sun, 26 Oct 2003 14:01:54 +0100 (CET) Received: from imhotep.yuckfou.org ([127.0.0.1]) by localhost (imhotep.yuckfou.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65251-01 for ; Sun, 26 Oct 2003 14:01:53 +0100 (CET) Received: from localhost.yuckfou.org (localhost [IPv6:::1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 9C42BB7 for ; Sun, 26 Oct 2003 14:01:53 +0100 (CET) Received: from yuckfou.org (turbata-xp [192.168.2.236]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Sun, 26 Oct 2003 14:01:49 +0100 (CET) Message-ID: <3F9BC5BD.2040804@yuckfou.org> Date: Sun, 26 Oct 2003 14:01:49 +0100 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030912 Thunderbird/0.3a X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-net@freebsd.org References: <1067144856.121773.17159.nullmailer@cicuta.babolo.ru> In-Reply-To: <1067144856.121773.17159.nullmailer@cicuta.babolo.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit From: Nils Vogels X-Delivery-Agent: TMDA/0.86 (Venetian Way) X-TMDA-Fingerprint: 3NJWpdSaUd61OqtHZ4UFc+sWY94 X-Virus-Scanned: by amavisd-new at yuckfou.org Subject: Re: Reverse IP NAT to secondary IP address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nils Vogels List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2003 13:02:01 -0000 "."@babolo.ru wrote: >>Since I have the internet on the same interface, but on the primary IP >>instead, would enabling ARP PROXY not fill the ARP table with every host >>on the internet, that tries to contact the gateway ? >> >> >Are you using default route? >If yes, only default router's MAC used for every external IP. > > > OK, great. >>>No NAT is needed. >>> >>> >>> >>I just tried this, but unfortunately, the same thing happens as with >>ipfilter: >> >>The primary address of the interface ed0 on the gateway (the public >>adress) is used to forward the arp request. >> >>Taken from a dump on the gateay, when attempting telnet: >> >>Incoming on rl0: >>03:35:05.867883 192.168.0.2.1511 > 192.168.2.2.23: S >>1377718084:1377718084(0) win 57344 (DF) [tos 0x10] >> >>Outgoing on ed0: >>03:35:05.868333 195.0.0.1.15009 > 192.168.2.2.23: S >>1377718084:1377718084(0) win 57344 (DF) [tos 0x10] >> >> >No NAT is needed. >Just allow 192.168.0.2 <-> 192.168.2.2 flow directly, >not via NAT > > I just changed my ipnat rule to: map ed0 from 192.168.0.0/24 ! to 192.168.0.0/16 -> 0/32 map ed0 from 192.168.0.0/24 ! to 192.168.0.0/16 -> 0/32 portmap tcp/udp 15000:19999 And this is now working. Thanks a bunch! ;-)