Date: Tue, 4 Dec 2001 21:05:10 +0200 From: veedee@c7.campus.utcluj.ro To: freebsd-net@freebsd.org Subject: ipnat Message-ID: <20011204210510.A1833@c7.campus.utcluj.ro>
next in thread | raw e-mail | index | archive | help
Hello, I've been using ipfw/natd for some time and about 2 days ago I switched to ipf/ipnat. Everything was okay, until I noticed that all the services on the machines from the internal network wouldn't work any more. I know, it sounds confusing... I'll explain in a minute. My server and about 400 workstations are in a building. I got 2 ethernet adapters on the server: one goes for the internal network (de0) and one for the internet link (xl0). The xl0 is connected to a 100Mbps switch in another building. There are currently another 4 buildings with the same configuration as mine, all connected in that 100Mbps switch. As I said I've been running natd successfully for some time now. Here are the old configurations: -- natd.conf -- use_sockets yes same_ports yes unregistered_only yes interface xl0 -- eof -- -- firewall.rules -- ...blah blah... loopback # allow everything to the another building add allow ip from any to 172.27.40.0/23 add divert natd ip from any to any via xl0 add allow ip from any to any -- eof -- -- rc.conf -- firewall_enable="YES" firewall_type="/etc/firewall.rules" firewall_logging="YES" natd_enable="YES" natd_interface="xl0" natd_flags="-f /etc/natd.conf" -- eof -- -- KERNEL -- options IPFIREWALL options IPDIVERT options IPFIREWALL_VERBOSE -- eof -- my internal network is 172.27.0.0/23 and the network in the other building is 172.27.40.0/23. Their configuration is correct as they are able to masquerade with another building succesfully. Now, what we were doing is allow our workstations to use their services one with another. So a station from the other building (let's say 172.27.40.133) was able to ftp, telnet, ssh to a station in my building (for instance 172.27.1.5). So what was sent to the other building was sent "un-masqueraded" (the divert rule came after allow). Also we had to add a route like: "route add -net 172.27.40.0 otherbuilding 255.255.254.0". Now since I've switched to ipf/ipnat, here's how things look like: -- ipf.rules -- # test. allow everything pass out quick all pass in quick all -- eof -- -- ipnat.rules -- map xl0 172.27.0.0/23 -> x.x.x.x/32 proxy port ftp ftp/tcp map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 -- eof -- -- rc.conf -- ipfilter_enable="YES" ipfilter_program="/sbin/ipf -Fa -f" ipfilter_flags="" ipfilter_rules="/etc/ipf.rules" ipnat_enable="YES" ipnat_program="/sbin/ipnat -CF -f" ipnat_rules="/etc/ipnat.rules" ipmon_enable="YES" ipmon_program="/sbin/ipmon" ipmon_flags="-Ds" -- eof -- -- KERNEL -- options IPFILTER options IPFILTER_LOG -- eof -- Now, since I've switched to ipf/ipnat, the firewall is running okay (ignore the test ipf.rules, I'm using it for testing NAT only), but I can't connect from 172.27.40.133 to 172.27.1.5 (to any port) although the ping works. :( Dunno what more to say... does anyone have any ideas? Have I forgotten something or is ipnat dumber than natd? Thanks in advance, Radu Bogdan Rusu (aka veedee) C7 Campus Network System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011204210510.A1833>