From owner-freebsd-questions Tue Jun 20 11:58:59 2000 Delivered-To: freebsd-questions@freebsd.org Received: from storm.cyber.za.net (storm.cyber.za.net [163.195.62.11]) by hub.freebsd.org (Postfix) with ESMTP id DDB0837C016 for ; Tue, 20 Jun 2000 11:58:52 -0700 (PDT) (envelope-from sgreven@cyber.za.net) Received: from storm.cyber.za.net ([163.195.62.11]) by storm.cyber.za.net with esmtp (Exim 3.12 #1) id 134Tb4-000DHq-00 for freebsd-questions@freebsd.org; Tue, 20 Jun 2000 21:22:06 +0200 Date: Tue, 20 Jun 2000 21:22:06 +0200 (SAST) From: Sean Greven To: freebsd-questions@freebsd.org Subject: natd - static and dynamic Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG As a service provision organisation, We have a need to run natd as a service for users inside our network. Since we make use of private address space we need to translate outbound sessions to certain ip addresses, the only problem here is that the overload address cannot be an alias address on the outside interface or the outside interface address, since scale is an issue and binding to all the alias addresses causes problems, as well as the fact that certain addreses are permitted certain priviliges through the firewalls of ourpeering networks. We also have a need for static addressing, so that we can "mirror" our customers internal hosts to "virtual"(public) ip addresses. We currently do this with cisco IP Plus software on our routers with success, however it would suit us to run this on our BSD platforms. I have managed to configure this using the following command along with setting up proxy arp and routing rules. natd -m -s -n fxp0 -f natd.conf and natd.conf contains. #static mappings redirect_address 10.1.1.1 (public_address1) redirect_address 10.1.230.111 (public_address2) .....etc... #dynamic mappings redirect_address 10.3.3.1 (public_address254) redirect_address 10.3.3.2 (public_address254) redirect_address 10.5.7.16 (public_address254) ......etc....etc.... the problem here is the lack of a netmask or prefix setting for the overloading of a large range of addresses. On 3.4-RELEASE I tested KAME and it had a kernel based nat called SuMiTe , which worked very well if one used the pma utility to define your nat pools. However the kame project code has been largely incorporated into 4.0-RELEASE and it seems as if SuMiTe has done a dissapearing act out of both the BSD code base as well as the KAME SNAP release for 4.0. Is it possible to get natd to emulate this behavior in any way ? Any help would be appreciated. All opinions expressed in this E-Mail are my own unless otherwise indicated, and are in no way to be affilliated with the opinions of SITA pty ltd. Sean Greven Network Consultant / Security Consultant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message