From owner-freebsd-questions Mon Jan 27 18:36: 0 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E16C337B401 for ; Mon, 27 Jan 2003 18:35:56 -0800 (PST) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25BDE43F79 for ; Mon, 27 Jan 2003 18:35:56 -0800 (PST) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h0S2ZsFH065121; Mon, 27 Jan 2003 19:35:54 -0700 (MST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h0S2Zlh4065118; Mon, 27 Jan 2003 19:35:53 -0700 (MST) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Mon, 27 Jan 2003 19:35:45 -0700 (MST) From: Nick Rogness To: Vikash Badal Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Source nat question (ipfw and natd) In-Reply-To: <002001c2c515$f5b72200$4b0a0a0a@my.domain> Message-ID: <20030127191911.F64691-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 26 Jan 2003, Vikash Badal wrote: > > > I currently have a box (4.7p3) that i want to connect to four different > > > networks According to the man page i can only nat on one interface using > > > natd. > > > > > > My current natd.conf is as follows : > > > -------------------------------------------------------------------------- > > > redirect_address 10.136.236.18 192.168.28.61 > > > redirect_address 10.136.236.20 192.168.20.47 > > > redirect_address 10.136.236.19 192.167.11.47 > > > -------------------------------------------------------------------------- > > > > > > When i add the following maping : > > > redirect_address 10.136.236.18 192.168.15.47 > > > > > > the source address for connections to 192.168.15.0/24 is 192.168.25.61 > > > is there any way i can setup natd and ipfw so that if packets are > > > destined for 192.168.15.0/24 then the source address should be > > > 192.168.15.47 > > > I'm still not sure what you are trying to accomplish here. You talk about source address for connections to 192.168.15.0/24...from where ? From the 192.168.X.X network? If so, you can run a seperate copy of natd in -reverse mode and an alias address to translate the source address. It becomes tricky to do but it might be what you want. What are you trying to accomplish? It sounds like you want the -reverse option for nat but I don't know what machines are where and how your network is laid out and how traffic flows across the BSD machine. Do you want all machines on the 192.168.X.X network (connected via vx0) to hit 10.136.X.X network with the same source address always? Please clarify. Also, comments below: > > I made a typo in the original mail : > ===> redirect_address 10.136.236.19 192.167.11.47 > should be redirect_address 10.136.236.19 192.168.21.47 > > configs: > > rc.conf: > ============ > kern_securelevel_enable="NO" > nfs_reserved_port_only="YES" > sendmail_enable="NONE" > sshd_enable="YES" > inetd_enable="NO" > portmap_enable="NO" > gateway_enable="YES" > ntpdate_flags="10.131.156.5" > ntpdate_enable="YES" > natd_enable="YES" > natd_interface="vx0" > natd_flags="-config /etc/natd.conf" > hostname="nwest-fw.natis.natis" > ifconfig_xl0="inet 10.136.236.5 netmask 255.255.255.0" > ifconfig_vx0="inet 192.168.28.61 netmask 255.255.240.0" > ifconfig_vx0_alias0="inet 192.168.15.57 netmask 255.255.255.0 > defaultrouter="10.136.236.1" > firewall_enable="YES" > firewall_type="natis" > firewall_quiet="YES" > ==================== > With your default gateway 10.136.236.1 I hope that the machines on the 10.136 network know how to reach the 192 network. > nwest-fw# ipfw -a l > 00050 0 0 divert 8668 ip from any to any via vx0 > 00100 32 2000 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 check-state [SNIP] Why are you running stateful inspection intermixed with nat? That is a bad combination. > ================ > nwest-fw# cat /etc/natd.conf > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.168.21.47 > redirect_address 10.136.236.18 192.168.15.47 So do these translations work? The only way to test them is from the 192.168 network. Also, 192.168.15.47.??.But the vx0 interface is setup with IP 192.168.15.57? Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message