From owner-freebsd-questions@FreeBSD.ORG Sat Jul 30 10:42:00 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4509616A41F for ; Sat, 30 Jul 2005 10:42:00 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (mail.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B224943D45 for ; Sat, 30 Jul 2005 10:41:58 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.51 #0 (FreeBSD 4.11-STABLE)) id 1Dyomu-000Jyw-B4 by authid for ; Sat, 30 Jul 2005 13:41:52 +0300 Date: Sat, 30 Jul 2005 13:41:52 +0300 From: Odhiambo Washington To: freebsd-questions@freebsd.org Message-ID: <20050730104152.GH17171@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.9i (2005-03-13) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.9i Subject: Problem with IPFilter/IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 10:42:00 -0000 I am using IPFilter and IPNat on several FreeBSD boxes. They are mostly configured the same. Each box has two interfaces, public and internal, and acts as a router to the LAN which is 'behind' it. The LAN machines use the FreeBSD as the gateway, as well as a DNS server. I run cache-only config. The problem I have is that when, for any reason, the public link goes down, the machines on the LAN timeout when communicating. I can simulate this by simply pulling out the connection from the $ext_iface (assume this is ADSL or something like that) which is connected to the ISP upstream. I don't know if it is my NAT configuration causing this. Here is the /etc/ipnat.rules that I use: I'd want a situation where network communications within the LAN should not be affected when the circuit to the ISP is down since it is only used for web traffic and for the mail server on the FreeBSD router to send outbound e-mails, not local e-mails. # rl0 is the internal interface. rl1 is external interface. # These redirection rules are to force users on the LAN # to go through Squid cache. # First we let this machine access itself because there is a web server # on it. # Redirect direct web traffic to local web server. rdr rl0 192.168.100.31/32 port 80 -> 192.168.100.31 port 80 tcp rdr rl0 192.168.100.31/32 port 443 -> 192.168.100.31 port 443 tcp # Transparently redirect all outgoing web traffic through squid on # port 3128 rdr rl0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 # Also all SMTP Connections must go via localhost rdr rl0 0.0.0.0/0 port 25 -> 127.0.0.1 port 25 # Now do NAT, but only for packets that are NOT local. map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32 portmap tcp/udp auto map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32 What am I missing or doing wrong here??? -Wash http://www.netmeister.org/news/learn2quote.html -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Due to lack of disk space, this fortune database has been discontinued.