Date: Tue, 04 Jan 2000 12:56:56 -0500 From: "James A. Mutter" <jmutter@commercialmovers.com> To: freebsd-questions@freebsd.org Subject: IPNAT - One more time - [More Info This Time] Message-ID: <38723468.843F85D0@commercialmovers.com>
next in thread | raw e-mail | index | archive | help
Sorry about all the posts here, but I've done everything I can think of to get this working. This one is rather lengthy. Trying to implement a BSD box to do IPNAT for our corporate network. We're doing this because our Ascend P130 isn't exactly up to the task. /etc/rc.conf gateway_enable="YES" tcp_extensions="YES" firewall_enable="NO" router="routed" router_flags="-q" ifconfig_pn0="inet 192.196.1.10 netmask 255.255.255.0" ifconfig_pn0_alias0="inet 204.107.254.XXX netmask 255.255.255.XXX" defaultrouter="204.107.254.XXX" <- This is not the address of 'pn0_alias0' - but rather the address of the router. /etc/rc.local ipf -Fa -f /etc/ipf.rules -E ipnat -CF -f /etc/ipnat.rules /etc/ipf.rules pass in from any to any pass out from any to any /etc/ipnat.rules map pn0 192.196.0.0/16 -> 204.107.254.XXX/32 portmap tcp/udp 10000:20000 map pn0 192.196.0.0/16 -> 204.107.254.XXX/32 (In this case the 204.107.254.XXX/32 is the alias address on pn0) kernel config IPFIREWALL IPFIREWALL_VERBOSE IPFIREWALL_VERBOSE_LIMIT=100 IPFIREWALL_DEFAULT_TO_ACCEPT IPDIVERT IPFILTER IPFILTER_LOG IPSTEALTH (for use later) TCP_DROP_SYNFIN (for use later) TCP_RESTRICT_RST (for use later) ICMP_BANDLIM Now, here's where the fun starts: $ ping proxy PING proxy.XXX.com (192.196.1.10): 56 data bytes 64 bytes from proxy.XXX.com.XXX.107.204.in-addr.arpa (204.107.254.XXX): icmp_seq=0 ttl=255 time=0ms You can see - pings go to the internal address - but are spit out the external address. This doesn't seem right to me. This, btw, is with ipnat and ipf running. Turning off ipnat and ipf get's me the expected results (ping the internal address - return from the internal address). It seems however that the box is routing packets, just as you would expect it to (when I set my PC to use this box as a gateway everything works) - but I can't connect to the proxy (or to the machine from its internal address) and that's not good. I can however connect to the machine from its external address. Anyhow, it's important that people are able to connect to this machine from the internal interface because it's also hosting our Squid proxy. What am I missing here? Thanks again for your help, Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38723468.843F85D0>