From owner-freebsd-net@FreeBSD.ORG Sun Oct 26 01:04:18 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CDEB16A4B3 for ; Sun, 26 Oct 2003 01:04:18 -0700 (PDT) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1924643FBF for ; Sun, 26 Oct 2003 01:04:17 -0700 (PDT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 33276 invoked from network); 26 Oct 2003 08:20:20 -0000 Received: from softdnserror (HELO cicuta.babolo.ru) (194.58.226.160) by softdnserror with SMTP; 26 Oct 2003 08:20:20 -0000 Received: (nullmailer pid 17160 invoked by uid 136); Sun, 26 Oct 2003 05:07:36 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <3F9AC937.4070200@yuckfou.org> To: Nils Vogels Date: Sun, 26 Oct 2003 08:07:36 +0300 (MSK) From: "."@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1067144856.121773.17159.nullmailer@cicuta.babolo.ru> cc: freebsd-net@freebsd.org Subject: Re: Reverse IP NAT to secondary IP address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2003 08:04:18 -0000 >>configure port with SNMP-server as 192.168.0.17/30 for example >>instead 192.168.2.1/24, and >>sysctl net.link.ether.inet.proxyall=1 >> >>and configure SNMP-server as 192.168.0.18/24 >> >>If you can change mask of SNMP-server, you can >>use 192.168.0/24 and 192.168.1/24 on gateway >>and 192.168.0/25 on SNMP-server. >> >> >Since I have the internet on the same interface, but on the primary IP >instead, would enabling ARP PROXY not fill the ARP table with every host >on the internet, that tries to contact the gateway ? Are you using default route? If yes, only default router's MAC used for every external IP. >>No NAT is needed. >> >I just tried this, but unfortunately, the same thing happens as with >ipfilter: > >The primary address of the interface ed0 on the gateway (the public >adress) is used to forward the arp request. > >Taken from a dump on the gateay, when attempting telnet: > >Incoming on rl0: >03:35:05.867883 192.168.0.2.1511 > 192.168.2.2.23: S >1377718084:1377718084(0) win 57344 (DF) [tos 0x10] > >Outgoing on ed0: >03:35:05.868333 195.0.0.1.15009 > 192.168.2.2.23: S >1377718084:1377718084(0) win 57344 (DF) [tos 0x10] No NAT is needed. Just allow 192.168.0.2 <-> 192.168.2.2 flow directly, not via NAT >Since 195.0.0.1 (obviously obfuscated) does not fall within the subnet >the 192.168.2.2 box is on, there will never be a reply from the >192.168.2.2 box. If you delete NAT on 192.168.0.2 <-> 192.168.2.2 path and wide mask on SNMP server, there will be reply. Or renumber subnet with SNMP server in such a way, that it be a subnet of net with WWW server. See my previous post with example. For ARP lookup you can try swap primary IP and alias (warning!) or use staric arp for SNMP server. >ARP proxying goes fine, on the WWW box, I can see the proxied reply >coming from my gateway for the 192.168.1.1 address ..... > >Can anyone tell me, how I can make the box use the secondary address >(alias) automatically for forwarding the telnet session? >Could it be that since the gateway is running many-to-one NAT as well, >this is conflicting ? you can fire up a lot of natd (this is one of my routers: 0sw~(2)>ps -axww | grep natd 44888 ?? Ss 31:11,88 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.100.pid -a IP0 -i 100 -o 101 -d 44890 ?? Ss 24:21,38 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.102.pid -a IP1 -i 102 -o 103 -d 44892 ?? Ss 36:25,68 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.104.pid -a IP2 -i 104 -o 105 -d 44894 ?? Ss 50:31,52 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.106.pid -a IP3 -i 106 -o 107 -d 44896 ?? Ss 26:42,38 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.108.pid -a IP4 -i 108 -o 109 -d 44898 ?? Ss 18:08,56 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.110.pid -a IP5 -i 110 -o 111 -d 44900 ?? Ss 27:32,76 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.112.pid -a IP6 -i 112 -o 113 -d 44902 ?? Ss 71:10,05 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.114.pid -a IP7 -i 114 -o 115 -d 44904 ?? Is 0:46,65 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.98.pid -a IP8 -i 98 -o 99 -d where real IPs substituted by IPx. You are free to use IPs from some of interfaces or IPs which none interface has, You can use the same IP for different natd or not - just write the appropriate rules in ipfw. For example use one natd for proxing one port with selected paig of addresses. But again: there is not need for NAT in circumstances you wrote in first letter. Sorry my English is bad.