From owner-freebsd-questions Mon Jan 10 19: 4:17 2000 Delivered-To: freebsd-questions@freebsd.org Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by hub.freebsd.org (Postfix) with ESMTP id DE87B1534C for ; Mon, 10 Jan 2000 19:03:57 -0800 (PST) (envelope-from mw@theatre.sax.de) Received: (from uucp@localhost) by sax.sax.de (8.9.3/8.9.3) with UUCP id EAA11341 for freebsd-questions@FreeBSD.ORG; Tue, 11 Jan 2000 04:03:44 +0100 (CET) Received: by theatre.sax.de (8.9.3/8.6.12-s1) id DAA15830 for freebsd-questions@FreeBSD.ORG; Tue, 11 Jan 2000 03:09:47 +0100 (CET) Date: Tue, 11 Jan 2000 03:09:46 +0100 From: Martin Welk To: freebsd-questions@FreeBSD.ORG Subject: Re: NATD and Public IP Addresses Message-ID: <20000111030946.A14785@theatre.sax.de> Reply-To: mw@sax.de References: <20000111003327.C33776@extremis.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000111003327.C33776@extremis.demon.co.uk>; from gjvc@extremis.demon.co.uk on Tue, Jan 11, 2000 at 12:33:27AM +0000 Organization: Private UUCP/Usenet site. X-Operating-System: FreeBSD http://www.freebsd.org/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 11, 2000 at 12:33:27AM +0000, George Cox wrote: > > I have several machines (6) which must be individually publicly accessable. > And you propose to put them on the inner side of the NAT machine? Well, you > can't do that -- because those machines will have addresses that are NOT > ROUTABLE on the Internet. He can at least hook them to the internal network, give them local (private) addresses and redirect those addresses through natd on a FreeBSD box that works as a gateway host: Public network interface <-> Private network interface a.b.c.1 = Primary public interface address a.b.c.2 <-> x.y.z.2 (*) a.b.c.3 <-> x.y.z.3 (*) a.b.c.4 <-> x.y.z.4 (*) (...) (*) Public network interface addresses configured as ifconfig aliases, that means, the gateway recognizes itself as that address. When this is done, it can pass the packets through natd which changes the address and forwards them to an assigned address in the private network. > OK -- here you say you have the IP addresses (presumably you mean public IP > addresses) and say you want to use NAT. He may need NAT because he has six addresses (an 29 bit netmasked network piece) but n (with n > 6) network hosts that should be accessable from the public. This is possible. First of all, I recommend you read the man pages for ipfw(4), ipfw(8), divert(4), natd(8), dummynet(4) and build a custom kernel. You need at least the IPFIREWALL/IPDIVERT rules, perhaps for a start the IPFIREWALL_DEFAULT_TO_OPEN (sp?) is handy. Configure your FreeBSD machine as a gateway host. What you need is the redirect function of natd. For a start, you can use some minimal firewall setup like ipfw add 100 divert 8668 ip from any to any via xxx ipfw add 200 allow all from any to any (xxx is the public network interface name) and a natd configuration like unregistered_only yes alias_address a.b.c.1 redirect_address x.y.z.2 a.b.c.2 redirect_address x.y.z.3 a.b.c.3 redirect_address x.y.z.4 a.b.c.4 (...) Don't forget to define those alias addresses for the public network interface, like ifconfig xxx alias a.b.c.2 netmask n.m.n.o ifconfig xxx alias a.b.c.3 netmask n.m.n.o ifconfig xxx alias a.b.c.4 netmask n.m.n.o (...) (Of course it is better to put that into /etc/rc.conf) Good luck. Regards, Martin -- /| /| | /| / ,,You know, there's a lot of opportunities, / |/ | artin |/ |/ elk if you're knowing to take them, you know, there's a lot of opportunities, Freiberg/Saxony, Germany if there aren't you can make them, mw@sax.de / mw@theatre.sax.de make or break them!'' (Tennant/Lowe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message