From owner-freebsd-questions  Sat Nov 25  2:57:58 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16])
	by hub.freebsd.org (Postfix) with SMTP id BD96437B4C5
	for <freebsd-questions@freebsd.org>; Sat, 25 Nov 2000 02:57:55 -0800 (PST)
Received: (qmail 116 invoked by uid 12); 25 Nov 2000 10:57:55 -0000
Message-ID: <20001125105755.115.qmail@hyperreal.org>
From: mike@hyperreal.org
Subject: Re: natd basic setup help
In-Reply-To: <20001125095108.17976.qmail@hyperreal.org> from "mike@hyperreal.org"
 at "Nov 25, 2000 01:51:08 am"
To: freebsd-questions@freebsd.org
Date: Sat, 25 Nov 2000 02:57:55 -0800 (PST)
X-Mailer: ELM [version 2.4ME+ PL60 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I wrote:
> NAT. I've been RTFM'ing all night and am just not getting it. My ISP has
> assigned me a static IP address. I want to use that address for my FreeBSD
> machine, and have my 2 other machines masquerading as the same IP. The
> configuration is pretty simple:
> 
>  [private_box_1]-----.
>                      |
>  [private_box_2]-----|___[switch]___[DSL_modem]___[ISPs_router]
>                      |
>  [public_BSD_box]----'
> 
> The switch is unmanaged and the DSL modem is in bridging mode, so it's
> essentially just a wire between my network and my ISP's router, which I
> use as my gateway (216.241.42.1). No PPP or dynamic IPs are involved.
> 
> I want to give the private boxes IP addresses 10.0.0.*, and have them use
> the BSD box as their gateway. The BSD box needs to keep its public IP
> address (216.241.42.159). Sounds pretty typical, right?

It was pointed out to me shortly after I sent this that with the BSD box
not being between the switch and the DSL modem, I can never have a true
firewall; the private boxes will never be private. I need to have 2 NICs,
one for traffic going between the BSD box and the DSL modem, and the other
for traffic between the BSD box and the switch.

Fair enough. I'd settle for just getting the masquerading working.
The semi-private boxes would only respond to 10.0.0.*-destined traffic,
and if I could just get the BSD box to reroute the traffic accordingly, it
would at least give them TCP/IP connectivity.

But I can see that with my current setup, once the switch found out the
semi-private boxes were at those addresses, it would happily pass along
any 10.0.0.*-destined traffic to those boxes, even if it were coming from
the outside world. Like I trust the H4X0R kiddies I share a subnet with..
yeargh.

Anyway I thought I gleaned from somewhere that 2 logical interfaces were
necessary for NAT, but that this didn't have to mean 2 physical NICs. Is
this wrong?

I have nothing against using 2 NICs but my BSD box is on unstable hardware
that has been known to invent conflicts when I add any piece of hardware
to it. It's a c.1995 dual P133 board from Micron, with the Neptune
chipset, and I'm trying to get whatever mileage I can out of it. Maybe
it's time to just bite the bullet and use it as the doorstop it was meant
to be.

Thanks

-M.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message