From owner-freebsd-hackers  Fri Jan 19 23:34:30 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from rapidnet.com (rapidnet.com [205.164.216.1])
	by hub.freebsd.org (Postfix) with ESMTP id DF96237B402
	for <freebsd-hackers@freebsd.org>; Fri, 19 Jan 2001 23:34:11 -0800 (PST)
Received: from localhost (nick@localhost)
	by rapidnet.com (8.9.3/8.9.3) with ESMTP id AAA17789;
	Sat, 20 Jan 2001 00:34:09 -0700 (MST)
Date: Sat, 20 Jan 2001 00:34:09 -0700 (MST)
From: Nick Rogness <nick@rapidnet.com>
To: Ian Kallen <spidaman@arachna.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: accessing an outside IP from inside a NAT net
In-Reply-To: <Pine.BSF.4.10.10101192125530.11924-100000@along-came-a-spider.arachna.com>
Message-ID: <Pine.BSF.4.21.0101200015070.45596-100000@rapidnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 19 Jan 2001, Ian Kallen wrote:

> Well, I've been fiddling with the ipfw syntax, I thought this would do it
> /sbin/ipfw add divert 80 all from 10.0.0.128/25 to 206.169.18.10 via ep0
> but that ain't it.
> 
> 10.0.0.128/25 has servers, 10.0.0.0/25 has clients, both gateways 
> 10.0.0.1 and 10.0.0.129 run off ep0... yes, I've been reading the ipfw man
> page and the archives, yet even though the two nets can access each other 
> directly, I haven't been able to get the clients to access any server
> resources via the 206.169.18.10 nat.  Further suggestions?
> thanks,
> -Ian

	For the following solution, lets assume that you have 2 logical
	networks 10.0.0.0/25 and 10.0.0.128/25 both bound to the inside
	interface ep0 (which may or may not be true).  Your outside
	interface we'll call fxp0.  You server's inside address is
	10.0.0.130 and outside address 206.169.18.10

In /etc/new.firewall.rules:

# Divert outside packets in & out
ipfw add 100 divert natd ip from any to any via fxp0

# Divert packets from the 10.0.0.0/25 network to the server going to
# the public server address
ipfw add 200 divert natd ip from 10.0.0.0/25 to 206.169.18.10 via ep0

# Divert packets from the server back to the 10.0.0.0/25 network
ipfw add 300 divert natd ip from 10.0.0.130/32 to 10.0.0.0/25 via ep0

-----

In /etc/natd.conf:

use_sockets
same_ports
port 8668
deny_incoming no
log
redirect_port tcp 10.0.0.128:80 206.169.18.10:80

-----

	You could also run a seperate natd because you may run into
	problems with the alias address that is natd is using.  In this
	case, a simple rule may do the trick:

		ipfw add 200 divert natd ip from any to any via ep0

	Of course, I am making assumptions on how your network is layed
	out.

Nick Rogness
- Drive defensively.  Buy a tank.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message