Date: Mon, 02 Oct 2000 16:25:19 -0700 From: Dan Yergeau <yergeau@gloworm.Stanford.EDU> To: freebsd-questions@freebsd.org Cc: yergeau@gloworm.Stanford.EDU Subject: NAT, firewall, public and private subnets Message-ID: <200010022325.QAA18676@gloworm.Stanford.EDU>
next in thread | raw e-mail | index | archive | help
I've got a 5 static-IP DSL connection, and I'm wanting to set up a
freebsd-4.1 box with 2 NICs to be the firewall for the public
addresses and a NAT box/firewall for both a private net. For
simplicity in discussion, let's call the public address space
P.U.B.* (with netmask 255.255.255.248), the private IP address space
p.v.t.* (with netmask 255.255.255.0; in this case,p=192 and v=168),
and the two network interfaces pvt0 and pub1.
The 5 public IP's are P.U.B.19[45678]
I've tried
1) DSL <==> pub1/freebsd/pvt0 <==> switch <==> both public and private
pub1 is P.U.B.194
pvt0 is p.v.t.99 (used as the gateway for the public and private
machines)
natd -n pub1
private address machines worked fine
public address machines couldn't find the gateway
I suppose I could add a third NIC and a switch to separate the
firewalled public and private nets, but it isn't clear how to
configure the freebsd box to NAT one interface, but not the
other.
I also tried to add an public IP alias on pvt0 (i.e. P.U.B.195
and to use that as the gateway for the public IP machines, but
wasn't successful in getting the internal public IP machines
routed to the internet).
2) DSL <==> pub1/freebsd/pvt0 <==> switch <==> all machines with private IP
pub1 is P.U.B.194 with aliases of P.U.B.19[5678]
pvt0 is p.v.t.99 (used as the gateway for the public and private
machines)
natd -n pub1 -f /etc/natd.conf
/etc/natd.conf had redirect_address entries for the 4 remaining
public IP's, mapping each of p.v.t.19[5678] to the equivalent
P.U.B.19[5678]
The only glitch here appeared to be that the freebsd box and
private IP machines couldn't get through to the public IP of the
4 remaining public IP's. I suppose that I could do an internal
DNS server to remap hostnames to the private IP addresses, but
that seem like a hack. I also didn't test tapping into
AFS/kerberos, which doesn't get along well with translated IP
addresses.
3) A "no firewall" config
DSL <==> switch <==> {pvt0,pub1}/freebsd & other public/private machines
I'd really need to get another switch for this to work correctly
(lots of "arp: P.U.B.19[45678] is on pub1, but got reply from
<hardware-addr> on pvt0"; and private net DHCP is flakey). So,
it would really optimally/correctly be
<==> other public IP machines
/
DSL <==> switch <==> pub1/freebsd/pvt0 <==> switch#2 <==> private IP machines
Unfortunately, this setup doesn't stick a firewall between the
other public machines and the internet.
Any suggestions or pointers to resources that I should look at. The
discussion of routes and gateways in the handbook and manpages don't
seem to address the whole picture.
Thanks,
Dan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010022325.QAA18676>