From owner-freebsd-net@FreeBSD.ORG Tue Dec 23 05:22:43 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D28FE16A4CE for ; Tue, 23 Dec 2003 05:22:43 -0800 (PST) Received: from cpanel.servercity.com (cpanel.servercity.com [216.235.252.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 191FC43D1F for ; Tue, 23 Dec 2003 05:22:37 -0800 (PST) (envelope-from peter@easytree.net) Received: from me-waterville-qs-38.mint.adelphia.net ([216.227.133.38] helo=easytree.net) by cpanel.servercity.com with asmtp (Exim 4.24) id 1AYmUc-0003E3-Rc for freebsd-net@freebsd.org; Tue, 23 Dec 2003 08:22:35 -0500 Message-ID: <3FE841B4.8E6D47E9@easytree.net> Date: Tue, 23 Dec 2003 08:23:00 -0500 From: Peter Serwe X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cpanel.servercity.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - easytree.net Subject: ipfw/natd/3 nic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 13:22:43 -0000 Okay, Basically, since FreeBSD is (in my mind anyway) the ultimate leatherman of the OS world, and God's own gift to networking and network services in general I decided to try to do a 3 nic ipfw/natd setup. I've done 2 nic ipfw/natd a couple of times, straight ipfw public-->public ipfw a couple of times, I'm fairly comfortable with it.. After searching around, I found a message from Gilson (de?)Paiva referencing some stuff Barney Wolff told him that basically straightened it out. Here's what I'm trying to accomplish: I have 2 internal networks that I'll term private_private (192.168.1.0/24) and public_private (192.168.2.0/24). The total number of clients between both networks probably could never exceed 100, and probably won't ever exceed 50. I have one public ip address. I need both networks to be able to surf, but I _never_ want ANY traffic to be able to go in between except from someone having direct access to the router. The router shouldn't be passing any traffic in between private networks. My ideal as I've currently envisioned it would be 3 nic nat, with both private networks being able to get out the public interface. Here's the part that's got me thrown for a loop: Run 2 instances of natd on 8668/8669 - no problem. Run divert rule twice, one to first nat interface on 8668, one to second on 8669. The second natd line is the problem child for me: /sbin/natd -f /etc/natd.conf -p 8669 -alias_address public_address Is this to imply that I need to run a second public address for the second natd instance to run? Hopefully I've left out nothing relevant, Thanks all. Pete -- Peter Serwe Cheaper, Faster, Better, pick any two.