From owner-freebsd-questions@FreeBSD.ORG Sun Dec 25 10:24:55 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E407B16A41F for ; Sun, 25 Dec 2005 10:24:55 +0000 (GMT) (envelope-from david@xinus.net) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A3F543D60 for ; Sun, 25 Dec 2005 10:24:55 +0000 (GMT) (envelope-from david@xinus.net) Received: from wizard.xinus.net (wizard.xinus.net [82.227.42.60]) by smtp4-g19.free.fr (Postfix) with ESMTP id 437984E6CB for ; Sun, 25 Dec 2005 11:24:54 +0100 (CET) Received: (qmail 99004 invoked by uid 98); 25 Dec 2005 10:24:31 -0000 Received: from 192.168.0.1 by wizard.xinus.net (envelope-from , uid 82) with qmail-scanner-1.25st (Everything is here, f-prot and spamassassin. Clear:RC:1(192.168.0.1):. Processed in 0.164609 secs); 25 Dec 2005 10:24:31 -0000 Received: from unknown (HELO ?127.0.0.1?) (192.168.0.1) by 0 with SMTP; 25 Dec 2005 10:24:30 -0000 Message-ID: <43AE7377.603@xinus.net> Date: Sun, 25 Dec 2005 11:24:55 +0100 From: David DU SERRE TELMON User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: fr, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: NATd issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Dec 2005 10:24:56 -0000 Hi, I've the network below : 192.168.2.0/23 | 192.168.3.454 FreeBSD x.x.x.x router 1 (dialup) | Internet | y.y.y.y FreeBSD 10.0.0.254 router 2 | 10.0.0.0/24 Each gateway run racoon. Each network can go on Internet. VPN is ok. I would like to NAT packets from 192.168.2.0/23 to 10.0.0.0/24 with IP 192.168.3.254 on router 1 (or 10.0.0.254 if it's possible). VPN interface is gif5 on router 1. My ipfw rules : dialup:~# ipfw show | grep 8670 00650 4 400 divert 8670 ip from 192.168.2.0/23 to 10.0.0.0/24 00660 4 400 divert 8670 ip from 10.0.0.0/24 natd in debug mode : dialup:~# natd -v -p natd-vpn -interface gif5 natd[42308]: Aliasing to 192.168.3.254, mtu 1280 bytes In [ICMP] [ICMP] 192.168.3.82 -> 10.0.0.1 8(0) aliased to [ICMP] 192.168.3.82 -> 10.0.0.1 8(0) Out [ICMP] [ICMP] 10.0.0.1 -> 192.168.3.82 0(0) aliased to [ICMP] 10.0.0.1 -> 192.168.3.82 0(0) gif5 is the vpn tunnel interface dialup:~# ifconfig gif5 gif5: flags=8051 mtu 1280 tunnel inet x.x.x.x --> y.y.y.y inet 192.168.3.254 --> 10.0.0.254 netmask 0xffffffff As you can see, packets are not translated with IP 192.168.3.54. Same result with natd -p natd-vpn -a 192.168.3.254. I think the solution will be with -reverse, when I use it, packets are natd (ping from 192.168.3.61 to 10.0.0.1) : dialup:/etc# natd -v -p natd-vpn -reverse -interface gif5 natd[43271]: Aliasing to 192.168.3.254, mtu 1280 bytes In [ICMP] [ICMP] 192.168.3.61 -> 10.0.0.1 8(0) aliased to [ICMP] 192.168.3.254 -> 10.0.0.1 8(0) tcmpdump on remote gateway : 11:26:44.641090 IP 192.168.3.254 > 10.0.0.1: icmp 64: echo request seq 0 11:26:44.641240 IP 10.0.0.1 > 192.168.3.254: icmp 64: echo reply seq 0 But I haven't got any reply on localsite (192.168.2.0/23), I haven't got packet OUT on natd. David. Thanks ! Have a nice Christmas !