Date: Tue, 27 Nov 2007 19:21:36 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Jerahmy Pocott" <quakenet1@optusnet.com.au> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: RE: Difficulties establishing VPN tunnel with IPNAT Message-ID: <BMEDLGAENEKCJFGODFOCCECGCFAA.tedm@toybox.placo.com> In-Reply-To: <219A86D3-597D-4369-A0DA-5D1F14D80D43@optusnet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] > Sent: Tuesday, November 27, 2007 7:07 AM > To: Ted Mittelstaedt > Cc: FreeBSD Questions > Subject: Re: Difficulties establishing VPN tunnel with IPNAT > > > > On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: > >> -----Original Message----- > >> From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] > >> Sent: Sunday, November 25, 2007 4:48 AM > >> To: Ted Mittelstaedt > >> Cc: FreeBSD Questions > >> Subject: Re: Difficulties establishing VPN tunnel with IPNAT > >> > >> > >> Perhaps, but I'v heard a lot of good things about IPF and IPNAT, > >> especially since the nat is all in kernel where as natd is > >> userland, so > >> there is a slight performance boost possibly there as well.. > >> > > > > I will address this one point here since it's enough to make > > someone scream, it's such an old chestnut. > > > > natd is always criticized because going to userland is slow. So, > > people who have slowness problems think that is the issue. > > > > In reality, the problem is that the DEFAULT setup and man page > > examples for natd use the following ipfw divert rule: > > > > /sbin/ipfw -f flush > > /sbin/ipfw add divert natd all from any to any via ed0 > > /sbin/ipfw add pass all from any to any > > > > This produces a rule such as the following: > > > > 00050 divert 8668 ip from any to any via de0 > > > > The problem though, is this is wrong. What it is doing is that > > ALL traffic that comes into and out of the box - no matter what > > the source and destination is - will be passed to the natd translator. > > > > What you SHOULD be using is a set of commands such: > > > > ipfw add divert natd ip from any to [outside IP address] in recv > > [outside > > interface] > > ipfw add divert natd ip from not [outside IP address] to any out recv > > [inside interface] xmit [outside interface] > > That does make a lot of sense! > > How ever the 2nd rule is slightly confusing me.. Shouldn't it be > something > like: divert natd ip from [internal net range] to any out via > [outside if]? > As I recall the "via" keyword was a later addition to ipfw, the way you wrote it is the same thing - the earlier form I used works on both old and new ipfw (not that it probably matters much nowadays) Use whichever is more clear to you - the gist of it is to use the ipfw rulesets to keep the traffic that doesen't need attention of natd, out of userland. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCCECGCFAA.tedm>