Date: Fri, 23 Aug 2002 19:49:56 -0700 From: "Sean Hamilton" <sh@planetquake.com> To: <hackers@freebsd.org> Subject: Weird NAT setup Message-ID: <001401c24b18$ee8e59c0$911de8d8@slugabed.org>
next in thread | raw e-mail | index | archive | help
Greetings,
I have an arrangement like this.
(internet)
|
+----fxp0-----+
| |
| FreeBSD box |
| |
+--fxp1-fxp2--+
| |
| +---(NAT network)
|
(internal
network)
fxp0 and fxp1 are bridged. There are four blocks on the internal network:
x.x.0.0/26 (x.x is constant through this message)
x.x.1.0/26
x.x.16.0/26
x.x.17.0/24
and the NAT network is
10.0.0.0/24
fxp0 (and thus fxp1) is x.x.0.49/26
fxp2 is 10.0.0.254/24
The bridging works fine. The problem is with the NAT. First, we used this
configuration for ipnat:
map fxp0 10.0.0.0/24 -> x.x.0.49/32 portmap tcp/udp 10000:60000
map fxp0 10.0.0.0/24 -> x.x.0.49/32
This worked, allowing NAT hosts to access the external Internet. However,
they couldn't get through to boxes on the internal network. (I would expect
the router at the other end of the Internet connection to bounce packets
back, but I guess not.)
After some head scratching, the following entries were prepended to ipnat's
rules:
map fxp1 from 10.0.0.0/24 to x.x.0.0/26
-> x.x.0.49/32 portmap tcp/udp 10000:60000
map fxp1 from 10.0.0.0/24 to x.x.0.0/26
-> x.x.0.49/32
map fxp1 from 10.0.0.0/24 to x.x.1.0/26
-> x.x.0.49/32 portmap tcp/udp 10000:60000
map fxp1 from 10.0.0.0/24 to x.x.1.0/26
-> x.x.0.49/32
map fxp1 from 10.0.0.0/24 to x.x.16.0/26
-> x.x.0.49/32 portmap tcp/udp 10000:60000
map fxp1 from 10.0.0.0/24 to x.x.16.0/26
-> x.x.0.49/32
map fxp1 from 10.0.0.0/24 to x.x.17.0/24
-> x.x.0.49/32 portmap tcp/udp 10000:60000
map fxp1 from 10.0.0.0/24 to x.x.17.0/24
-> x.x.0.49/32
This fixed the bulk of the problem, but the NAT clients still cannot access
hosts on the x.x.0.0/26 block, the same block the NAT server is on. The only
solution I could come up with (but didn't try) is to have the NAT server
have an IP address in two blocks, and have them rewrite into the opposing
block.
My understanding of how NAT works is far from complete, so I don't exactly
see why this isn't working. Is there a solution/fix, or at least a reason?
thanks,
sh
ps. This server was previously running Linux, which was doing weird arp
kludges to achieve the desired effect (since it can't apply firewall rules
to its bridges.) This NAT problem was solved with some routing trick, but
the guy who set it up can't remember what he did, and we trashed the disk in
favor of FreeBSD. Linux was barfing under high loads (packet attacks), and I
finally managed to convince the other guy around here to let me put FreeBSD
to the test. Hoping for the best...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001401c24b18$ee8e59c0$911de8d8>