Date: Sat, 26 Jul 2003 01:05:05 -0400 From: Jim Durham <durham@jcdurham.com> To: Clement Laforet <sheepkiller@cultdeadsheep.org> Cc: freebsd-hackers@freebsd.org Subject: Re: NATD and Address Redirection Message-ID: <200307260105.06263.durham@jcdurham.com> In-Reply-To: <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> References: <200307251349.38413.durham@jcdurham.com> <20030726022205.452c374f.sheepkiller@cultdeadsheep.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 25 July 2003 08:22 pm, Clement Laforet wrote: > On Fri, 25 Jul 2003 13:49:38 -0400 > Jim Durham <durham@jcdurham.com> wrote: > > Hi, > > > I'm wondering about the characteristics of the redirect_address > > option > > > > of natd. I tried this on -questions, but no one replied, so I > > thought I'd ask on here, hoping to find folks more familiar with > > kernel mechanisms here. > > Except for DIVERT, there isn't any kernel mechanisms for address > translatation. > > > Consider a FreeBSD NAT "gateway" between a public IP on one > > network interface and a private "LAN" address on the 2nd > > interface serving a group of windows machines on the LAN with > > private IPS. > > > > We wanted to allow outside access to one of the LAN machines. > > > > According to the documentation, as I read it, redirect_address > > sets up > > > > a "static NAT" which is symmetrical between a public address on > > the outside interface of a FreeBSD machine and a machine on a > > private IP attached to the "inside" or "LAN" network interface. > > > > The procedure we used was to alias a 2nd public address to the > > outside > > > > interface and use a redirect_address statement in natd.conf to > > redirect connections to the new public IP to the inside machine. > > > > This doesn't seem to be symmetrical. > > <snip> > > > I'm questioning whether the connection is really symmetrical? > > for incoming traffic, you must use -redirect_address, but for > outgoing you have to set -alias_address. First, Thanks much for your reply.... I can add alias_address, but please note that the inside machine already seems to be getting aliased, at least in some cases. If you connect to one of those "what's my IP" sites using tne browser on the inside machine , you get the correct answer back. IE; you get the 2nd public IP instead of the "main" public IP. > If you want to use a specific public IP to map incoming AND > outgoing packets, you need to run 2 natd, using ipfw matching. Can you point me to some documentation on how this is set up? Google returns nothing useful. -Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307260105.06263.durham>