From owner-freebsd-net Tue Sep 26 16: 3:16 2000 Delivered-To: freebsd-net@freebsd.org Received: from web311.mail.yahoo.com (web311.mail.yahoo.com [216.115.105.76]) by hub.freebsd.org (Postfix) with SMTP id 167C037B423 for ; Tue, 26 Sep 2000 16:03:11 -0700 (PDT) Message-ID: <20000926230310.14650.qmail@web311.mail.yahoo.com> Received: from [24.164.238.27] by web311.mail.yahoo.com; Tue, 26 Sep 2000 16:03:10 PDT Date: Tue, 26 Sep 2000 16:03:10 -0700 (PDT) From: Benjamin Gavin Subject: Re: ppp nat port/addr conflict To: Hanspeter Roth Bsag Cc: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Actually, if you have NAT enabled it will always appear to outside hosts as if you are connecting from the router's external address. You should only use the nat addr ... command to override this default setting. If you are using ppp based nat in addition to ipfw firewall to filter packets, then you'll need to make sure that your ipfw rules allow for the transfer. I've had a similar setup before I got broadband access. I basically setup ipfw as normal, but used the "tun0" interface as my external address in all the rulesets. Then in the ppp.linkup script, I inserted a call to a script which reloaded the firewall rulesets based on the IP address I was given from my ISP. You can then customize IPFW to allow only the things that you want into your internal box. Then for the NAT portions of the ppp.conf, I entered the following information: nat enable yes nat same_ports yes nat use_sockets yes nat unregistered_only yes Then for each port that you want to send directly to your internal machine add a line like: nat port : Then just make sure that your gateway_enable flag is set to "YES" in rc.conf and you're golden. Ben Gavin --- Hanspeter Roth Bsag wrote: > Hello, > > I'm trying to set up NAT to allow specific connections. > > The participating hosts are connected as follows: > > local client FreeBSD router remote host > 1.0.0.2 <---> 1.0.0.1 2.0.0.1 <---> 2.0.0.2 > ethernet ppp > > The local client has to connect to the remote host but with > the router's address [1.0.0.2]. > In the ppp.conf I have > > nat addr 1.0.0.2 2.0.0.1 > > This allows telnet and ftp connections from the local client > [1.0.0.2] to the remote host [2.0.0.2]. > (Interestingly I'm also able to connect to the remote host from > the router itself.) > > Now I want a to allow a connection from the remote host to the > router at a specific port. Thus I tried > > nat port tcp 2.0.0.1:6009 6009 127.0.0.1:6009 > > I'm aware that there is an address conflict since 2.0.0.1 is also > diverted to the local client [1.0.0.2] by the `nat addr' command. > I hoped that `nat port' would take precedence over `nat addr'. > But packets to 2.0.0.1:6009 get diverted to the local client as well. > > Is there a means to resolve this conflict? > > -Hanspeter > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message ===== /******************************/ Benjamin Gavin Virtual.Olympus Software Virtual_Olympus@yahoo.com http://www.virtual-olympus.com/ /******************************/ __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message