Date: Mon, 25 Jan 1999 15:26:53 -0800 From: Ludwig Pummer <ludwigp@bigfoot.com> To: "David Burger" <david@unet.tm>, "Derek Jewett" <djewett@snowcrest.net>, <questions@FreeBSD.ORG> Subject: Re: Static NAT Message-ID: <4.1.19990125151210.00bb4e80@mail-r> In-Reply-To: <001c01be48b2$dbf1fb80$412a0b0a@470cdt.hctg.saic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:34 PM 1/25/99 , David Burger wrote: >I am trying to make a setup exactly like yours. You mention a Firewall >setup to make the communications from the static Nat machine come from the >proper IP address. Can you tell me how to configure that? Well, start with the walk-through given by the natd manpage. Make sure natd works for all of the other machines first. Then work from there. I haven't actually done this completely myself. The way I have it set up, traffic coming in to 11.22.33.44 (see below for explanation of IPs) gets sent to 172.16.1.1, but traffic originating from 172.16.1.1 comes from 11.22.33.43. I'm going to be replacing my firewall system with another in a few weeks, so I'm procrastinating with making any changes in the meantime. This is assuming you use IPFW and natd. Your current rule in rc.firewall* is probably something like $fwcmd add divert natd from any to any via vx0 *This has been changed since 2.2.5, I think. I think after 2.2.5 there is an /etc/rc.conf setting to enable natd. I would disable that and do everything from your rc.firewall, since the rc.conf setting probably wasn't intended for an elaborate setup I was thinking of running 2 copies of natd, each listening on a seperate outside IP, and then listening on port natd and natd2 (you'd have to add natd2 to your /etc/services). So your rules would become $fwcmd add divert natd2 from 172.16.1.1 to any out via vx0 # this line is needed first, otherwise traffic from this machine would be # picked up by the next rule $fwcmd add divert natd from any to any out via vx0 # for all of the other machines on the network $fwcmd add divert natd from any to 11.22.33.43 in via vx0 # the order of this rule and the next doesn't matter. putting this rule # first makes sense if more traffic will be coming in to the other # machines on your network than to your 172.16.1.1, since packets # will match it first $fwcmd add divert natd2 from any to 11.22.33.44 in via vx0 172.16.1.1 is the IP of the machine on the inside which is going to get the static NAT traffic. 11.22.33.44 is the outside IP for the static NAT. 11.22.33.43 is the outside IP for the NAT for the whole subnet. The copy of natd that listens on the natd2 port would have just one rule: static nat from 11.22.33.43 to the inside IP. The other natd would be set up normally, except maybe to tell it to listen only on 11.22.33.43 (although the firewall rule makes that unnecessary). A disclaimer: I haven't actually tried this out. I'm making this up based on what I understand of firewall rules and nat settings. What I give here is meant to push you in the right direction, not give you an "answer" to implement without understanding. --Ludwig Pummer ( ludwigp@bigfoot.com ) ICQ UIN: 692441 ( ludwigp@email.com ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990125151210.00bb4e80>