Date: Mon, 10 Nov 2014 14:12:32 -0700 From: "Gary Aitken" <vagabond@blackfoot.net> To: "Freebsd Questions" <questions@freebsd.org> Cc: kudzu@tenebras.com, smithi@nimnet.asn.au Subject: Re: natd not translating? Message-ID: <f903055e432dff8e69c3851105f2c66b.squirrel@webmail.blackfoot.net>
next in thread | raw e-mail | index | archive | help
Ian and Michael, thanks both of you for the clarification on using
separate incoming and outgoing rules.
The world is now good...
> > I have a non-gateway ip addr reserved for use by natd, and currently have
> > divert 8668 ip from any to any via ep0
> > Since I have a non-gateway addr reserved for the natd xlations, it
seems like
> > divert 8668 ip4 from not me to not me via ep0
> > should have identical behavior; but it doesn't.
> > It seems like nothing came through to clients.
>
> Well, traffic coming back in from remote hosts IS 'to me' (ie, to any
address configured on any interface on this box) before it's been
translated by NAT to an inside host address
Not necessarily. If I have specified
redirect_address 192.168.1.12 <non-gateway-ip-addr>
alias_address <other-non-gateway-ip-addr>
then everything not destined for the gateway machine will not be "to me"
By non-gateway-ip-addr I mean one of my assigned ip addrs,
but not the one assigned by me to the outward-facing interface of the
gateway box. (you knew that, I just wasn't clear earlier.)
e.g. if my assigned ip addrs are a.b.c.16/29:
gateway interface to the world: a.b.c.17
natd.conf specifies:
redirect_address 192.168.1.12 a.b.c.21
alias_address a.b.c.22
I have reworked the ipfw rules starting with rc.firewall "simple" as a
template and adding what little I needed. Thanks again for the hint. With
those new rules, the above
05000 divert 8668 ip4 from not me to not me via ep0
seems to work as well as
05001 divert 8668 ip4 from 192.168.1.0/24 to any out recv xl0 xmit ep0
05002 divert 8668 ip4 from any to not me in recv ep0
Am I right that, given the natd.conf constraints on redirect addrs
indicated above, the 5000 rule should work as well as 5001 + 5002, and
natd won't be doing any extra work?
> Strangely, there's no man page for ep nor if_ep on 8.x or 9.x?
ugh. That will be interesting when my upgrade starts in a few days. Dang.
man ep
ep -- Ethernet driver for 3Com Etherlink III (3c5x9) interfaces
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f903055e432dff8e69c3851105f2c66b.squirrel>