From owner-freebsd-questions Sat Nov 25 17:48:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3F30F37B4C5 for ; Sat, 25 Nov 2000 17:48:44 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 25 Nov 2000 17:47:12 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQ1meU97367; Sat, 25 Nov 2000 17:48:40 -0800 (PST) (envelope-from cjc) Date: Sat, 25 Nov 2000 17:48:40 -0800 From: "Crist J . Clark" To: mike@hyperreal.org Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd basic setup help Message-ID: <20001125174840.B12190@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001125095108.17976.qmail@hyperreal.org> <20001125105755.115.qmail@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001125105755.115.qmail@hyperreal.org>; from mike@hyperreal.org on Sat, Nov 25, 2000 at 02:57:55AM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Nov 25, 2000 at 02:57:55AM -0800, mike@hyperreal.org wrote: > I wrote: > > NAT. I've been RTFM'ing all night and am just not getting it. My ISP has > > assigned me a static IP address. I want to use that address for my FreeBSD > > machine, and have my 2 other machines masquerading as the same IP. The > > configuration is pretty simple: > > > > [private_box_1]-----. > > | > > [private_box_2]-----|___[switch]___[DSL_modem]___[ISPs_router] > > | > > [public_BSD_box]----' > > > > The switch is unmanaged and the DSL modem is in bridging mode, so it's > > essentially just a wire between my network and my ISP's router, which I > > use as my gateway (216.241.42.1). No PPP or dynamic IPs are involved. > > > > I want to give the private boxes IP addresses 10.0.0.*, and have them use > > the BSD box as their gateway. The BSD box needs to keep its public IP > > address (216.241.42.159). Sounds pretty typical, right? > > It was pointed out to me shortly after I sent this that with the BSD box > not being between the switch and the DSL modem, I can never have a true > firewall; the private boxes will never be private. I need to have 2 NICs, > one for traffic going between the BSD box and the DSL modem, and the other > for traffic between the BSD box and the switch. > > Fair enough. I'd settle for just getting the masquerading working. > The semi-private boxes would only respond to 10.0.0.*-destined traffic, > and if I could just get the BSD box to reroute the traffic accordingly, it > would at least give them TCP/IP connectivity. > > But I can see that with my current setup, once the switch found out the > semi-private boxes were at those addresses, it would happily pass along > any 10.0.0.*-destined traffic to those boxes, even if it were coming from > the outside world. Like I trust the H4X0R kiddies I share a subnet with.. > yeargh. > > Anyway I thought I gleaned from somewhere that 2 logical interfaces were > necessary for NAT, but that this didn't have to mean 2 physical NICs. Is > this wrong? natd(8) was not designed to work with one physical interface. It may work, but if it doesn't you're kind of on your own. You might say it is not a supported configuration. The essence of the problem is that one typically has a divert(4) rule like, divert natd ip from any to any via if0 Where 'if0' would be the external interface. When a packet comes in to (or goes out of) your internal net, it goes through natd(8) once when it comes in (goes out) the external interface, and does NOT go through natd(8) when going out (coming in) the internal interface. However, if your internal and external interfaces are the same physical interface, then packets always go through natd(8) _twice,_ and this can mess things up. > I have nothing against using 2 NICs but my BSD box is on unstable hardware > that has been known to invent conflicts when I add any piece of hardware > to it. It's a c.1995 dual P133 board from Micron, with the Neptune > chipset, and I'm trying to get whatever mileage I can out of it. Maybe > it's time to just bite the bullet and use it as the doorstop it was meant > to be. You can buy 10BaseT ISA NICs for $10. Might as well give it a shot. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message