Date: Mon, 03 Apr 2006 06:59:20 -0400 From: Juergen Heberling <pjah@hicom.net> To: freebsd-questions@freebsd.org Subject: Re: ipnat syntax error? Message-ID: <44310008.7010100@hicom.net> In-Reply-To: <442FA797.6060307@locolomo.org> References: <442EEABE.5000803@hicom.net> <442F2B69.40503@locolomo.org> <442F3268.30409@hicom.net> <442FA797.6060307@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Nørgaard wrote: >> .. snip .. > > Well, my suggestion is not to exhaust your precious /28 address space > right away. And don't make your life unnecessary difficult, why choose > the addreses in the middle for bimap? > > > Rather than using all your external ip's right away I would save some > for later expansion, and reserve one for debugging. You may need to > connect a laptop on the external net to figure out what's going on. You > could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and > future expansion (not mapped), x.x.x.12/30 map for lan clients. > > If you stick to cidr you can also write your filter rules in cidr making > it far easier to read an maintain. > > For the mapping, and bimapping consider this: > > The /24 network you want to map, it contains at most 254 hosts. If you > map that network to a single ip, then each host can establish at least > 256 simultaneous connections. My experience is that this is far mor than > needed in most normal operating environments. I'd suggest using the same > ip as on the firewall external interface. > > If the purpose of binatting is to make one service available, http say, > then you may consider using rdr. IIRC you can also use rdr to round > robin load balancing incoming connections. > > That way you can have one host serving http and another serving smtp on > the same external ip. The only reason to use different ip's is if you're > hosting a number of https servers, each need a different ip. > > There's no point in bimapping all ports on a external ip to one single > internal ip if most of them are blocked by the filter. > > Cheers, Erik Erik, Thank you again for your advice. Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with "just" one "map" with portmaps. Please note that the "-" for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. Thanks again. Juergen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44310008.7010100>