Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 May 2001 14:10:07 -0500
From:      Lucas Bergman <>
To:        Artem Koutchine <>
Cc:        questions@FreeBSD.ORG
Subject:   Re: Networks routing, natd and subnetting question
Message-ID:  <>
In-Reply-To: <000001c0d7af$db8d67e0$>; from on Tue, May 08, 2001 at 03:08:49PM +0400
References:  <000001c0d7af$db8d67e0$>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> I have an allocated ip network for my intranet: xxx.yyy.zzz.96
> netmask 224 (0xffffffe0)
> the local network is connected to the outer world like this:
> CISCO 1601 <->FREEBSD <-> bunch of Win/FBSD pcs the 'bunch' only
> uses for now 192.168.a.b network to make it totaly safe. CISCO has
> xxx.yyy.zzz.97 and FreeBSD has two interfaces ed0 (external to
> CISCO) xxx.yyy.zzz.98 and ed1 (internal to local network)
> Local network goes to internet using natd
> (--unregistered-only -l -use_sockets on interface ed0)...
> One of the local network machines REALLY needs a real IP address to
> be accessed from the outer world. The machine should have the
> address xxx.yyy.zzz.102...

Okay, check.

> 1) Assign xxx.yyy.zzz.102 as an alias IP address to ed0 on the
> FreeBSD and use nat to redirect all traffic from xxx.yyy.zzz.102 to
> The question is: How do i do that? Do I just add
> extra option to natd (-redirect_address) or i need to add some ipfw
> rule too?

It's been a while since I've used stock natd (I made the switch to
ipfilter/ipnat), but I think that's fine.  If NAT is working for you
already, then your firewall rules are already okay; i.e., they make
sure that natd sees anything coming in or going out via the external
interface.  Don't forget 'netmask 0xffffffff' for the alias.

> 2) Route this address directly, so, natd is not used at all and the
> machine on the localnet gets a real IP.  Here is what i tried: I
> changed to xxx.yyy.zzz.102 and on the FreeBSD box
> added:
> route add -host xxx.yyy.zzz.102 interface ed1
> ping xxx.yyy.zzz.102
> [schnipp]

Hmm... all this contortion is necessary because your physical topology
(the arrangement of Cat. 5 cable among Ethernets) doesn't match your
IP topology.  In particular, you want the machine with address
x.y.z.102 to be hooked up to the network, instead of
hooked up to the x.y.z.96/27 network, where it belongs.  Before
getting into obscure routing/ARP issues, try the "hardware" solution:

0) Assign x.y.z.102 to the box that needs that address, and physically
hook it up to the proper network; i.e., run a cable from that
machine's port in the patch panel (or whatever) to the 1601, instead
of to the hub hooked up to the FreeBSD box (or configure your
switching hub to put that box on the same 'net as the 1601, etc.).
This puts Ethernets and IP subnets in one-to-one correspondence, which
means no baroque routing is necessary.


To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <>