Date: Mon, 30 Oct 2000 14:46:58 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Ras-Sol <ras-sol@usa.net> Cc: Daniel Ruthardt <ruthardt@chello.at>, freebsd-questions@freebsd.org Subject: Re: IP Masquerading - Using NAT Message-ID: <20001030144658.A4711@149.211.6.64.reflexcom.com> In-Reply-To: <141201c042af$2eb07480$6d0a280a@speedera.com>; from ras-sol@usa.net on Mon, Oct 30, 2000 at 12:22:53PM -0800 References: <20001029143205.X75251@149.211.6.64.reflexcom.com> <KDEOJJLADGAOLHAHFGMKCEDBCBAA.ruthardt@chello.at> <20001030111946.A3675@149.211.6.64.reflexcom.com> <141201c042af$2eb07480$6d0a280a@speedera.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 30, 2000 at 12:22:53PM -0800, Ras-Sol wrote: > While I absolutely agree that you should *not* be using only one interface > here- > > It somewhat bothers me that natd gets confused if there's only one IF- > > Natd deals on the IP level right? > > So adding another alias to the single physical should fix natd's problems? Nope. One might think that if you specify an /address/ rather than an interface to natd(8) (the -alias_address option as opposed to -interface, also -a or -n), you would get around it. But that is only half the problem. Note the divert(4) rule in the firewall. In a multiple interface setup, a packet comes in (or goes out) the NAT interface once. If you try to use one interface, the packet comes in, gets diverted to natd(8), comes back to the IP stack, continues through the rules, gets routed (if passed), then it goes out the one interface where it gets diverted to natd(8) _again,_ yada-yada. Every packet hits natd(8) twice, and it was not designed to handle that. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001030144658.A4711>