Date: Mon, 20 Oct 1997 10:59:36 -0400 (EDT) From: Thomas David Rivers <rivers@dignus.com> To: brian@awfulhak.org, rivers@dignus.com Cc: freebsd-hackers@freefall.FreeBSD.org Subject: Re: two natd's running? Message-ID: <199710201459.KAA19512@lakes.dignus.com>
next in thread | raw e-mail | index | archive | help
All of this is included for context (since this is a rather slow-running thread....) > > > > This is a rather old question I'm just now getting around to... > > > > What I have is a situation where I'd like to two SL/IP connections > > going with multiple natd's running. > > > > Several people had suggested simply having two divert rules in > > rc.firewall and running the two natd's that way. > > > > Here's what I've got the gateway (a 2.2-970510-RELENG machine) at > > 10.0.0.1: > > > > ipfw -f flush > > ipfw -f add 10 divert 32001 ip from any to 192.42.243.0/24 via sl1 > > You can't masquerade in just one direction.... add > > ipfw -f add 10 divert 32001 ip from 192.42.243.0/24 to any via sl1 > > > ipfw -f add 20 divert 32000 ip from any to any via sl0 > > ipfw -f add pass ip from any to any > [.....] > > - Thanks - > > - Dave Rivers - > > > > -- > Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <bri@OpenBSD.org> > <http://www.Awfulhak.org>; I followed Brian's suggestion and now have: ipfw -f add 10 divert 32001 ip from any to 192.42.243.0/24 via sl1 ipfw -f add 15 divert 32001 ip from 192.42.243.0/24 to any via sl1 ipfw -f add 20 divert 32000 ip from any to any via sl0 ipfw -f add pass ip from any to any as my firewall configuration.... and - I'm running two natd's: /usr/local/bin/natd -l -port 32000 -interface sl0 -m -u -dynamic /usr/local/bin/natd -l -port 32001 -interface sl1 -m -u -dynamic This appears to be an improvement; as the gateway machine correctly forwards traffic to 192.42.243.0/24 via sl1 (and natd it doing the proper translation.) However; something isn't working in the route tables... On the gateway machine I have: # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 10/24 link#1 UC 0 0 10.0.0.3 0:40:33:22:a2:6b UHLW 6 1206 ed0 591 10.23.1.112 192.42.243.1 UGHS 0 0 sl1 10.23.1.115 192.42.243.1 UGHS 0 0 sl1 10.26.1.153 192.42.243.1 UGHS 0 0 sl1 10.26.1.157 192.42.243.1 UGHS 0 0 sl1 10.26.149.40 192.42.243.1 UGHS 0 0 sl1 10.252.1.2 192.42.243.1 UGHS 0 0 sl1 10.253.1.2 192.42.243.1 UGHS 0 0 sl1 127.0.0.1 127.0.0.1 UH 0 0 lo0 130.96.1.21 192.42.243.1 UGHS 0 0 sl1 149.173.52.101 192.42.243.1 UGHS 0 0 sl1 149.173.52.209 192.42.243.1 UGHS 0 0 sl1 149.173.160.12 192.42.243.1 UGHS 0 132 sl1 149.173.166.232 192.42.243.1 UGHS 0 0 sl1 172.16.0.200 192.42.243.1 UGHS 0 0 sl1 192.42.243.1 192.42.243.10 UH 16 12 sl1 192.42.243.10 192.42.243.1 UGHS 0 22 sl1 and, on an interior node, I can ping 192.42.243.10 and 192.42.243.1; but I can't get to any of the other addresses... (e.g. 130.96.1.21 doesn't go out via sl1 as I would like it to...) I'm guessing I have to add more rules for each of the networks I'd like to go out to there - but I was hoping the routing table would take care of that... should it? - Dave Rivers -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710201459.KAA19512>