Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Dec 2005 11:24:55 +0100
From:      David DU SERRE TELMON <david@xinus.net>
To:        freebsd-questions@freebsd.org
Subject:   NATd issue
Message-ID:  <43AE7377.603@xinus.net>
next in thread | raw e-mail | index | archive | help 
Hi,

I've the network below :

192.168.2.0/23
|
192.168.3.454 FreeBSD
x.x.x.x router 1 (dialup)
|
Internet
|
y.y.y.y FreeBSD
10.0.0.254 router 2
|
10.0.0.0/24

Each gateway run racoon.
Each network can go on Internet.
VPN is ok.

I would like to NAT packets from 192.168.2.0/23 to 10.0.0.0/24 with IP 
192.168.3.254 on router 1 (or 10.0.0.254 if it's possible). VPN 
interface is gif5 on router 1.

My ipfw rules :
dialup:~# ipfw show | grep 8670
00650 4 400 divert 8670 ip from 192.168.2.0/23 to 10.0.0.0/24
00660 4 400 divert 8670 ip from 10.0.0.0/24

natd in debug mode :

dialup:~# natd -v -p natd-vpn -interface gif5
natd[42308]: Aliasing to 192.168.3.254, mtu 1280 bytes
In [ICMP] [ICMP] 192.168.3.82 -> 10.0.0.1 8(0) aliased to
[ICMP] 192.168.3.82 -> 10.0.0.1 8(0)
Out [ICMP] [ICMP] 10.0.0.1 -> 192.168.3.82 0(0) aliased to
[ICMP] 10.0.0.1 -> 192.168.3.82 0(0)

gif5 is the vpn tunnel interface

dialup:~# ifconfig gif5
gif5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet x.x.x.x --> y.y.y.y
         inet 192.168.3.254 --> 10.0.0.254 netmask 0xffffffff

As you can see, packets are not translated with IP 192.168.3.54.

Same result with natd -p natd-vpn -a 192.168.3.254.

I think the solution will be with -reverse, when I use it, packets are 
natd (ping from 192.168.3.61 to 10.0.0.1) :

dialup:/etc# natd -v -p natd-vpn -reverse -interface gif5
natd[43271]: Aliasing to 192.168.3.254, mtu 1280 bytes
In [ICMP] [ICMP] 192.168.3.61 -> 10.0.0.1 8(0) aliased to
[ICMP] 192.168.3.254 -> 10.0.0.1 8(0)

tcmpdump on remote gateway :
11:26:44.641090 IP 192.168.3.254 > 10.0.0.1: icmp 64: echo request seq 0
11:26:44.641240 IP 10.0.0.1 > 192.168.3.254: icmp 64: echo reply seq 0

But I haven't got any reply on localsite (192.168.2.0/23), I haven't got 
packet OUT on natd.

David.

Thanks !

Have a nice Christmas !

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43AE7377.603>