Date: Fri, 8 Apr 2005 09:13:23 +0200 (CEST) From: "Andrew Seguin" <asegu_fbsdnet@borgtech.ca> To: freebsd-net@freebsd.org Subject: Freebsd NAT/Router design question/issue Message-ID: <2402.161.53.212.4.1112944403.squirrel@borgtech.ca>
next in thread | raw e-mail | index | archive | help
Good day, I've built up a freebsd router (no problems there) using 5.4-STABLE built after a cvsup 3 days ago. The router has three network cards (all fxp), and it routes mainly between a variety of subnets (using vlans) on fxp1, to a seperate subnet on fxp0. fxp2 has a private address (192.168.0.1/24) and it shall be our "public area" connection. (the main router, sitting at .1, routes to .14 for anything other then .0/28) So, in short it looks like this: default gateway: .1 fxp0: .14/28 (servers) fxp1 - vlan 3 - .17/28 (network printers) ... fxp1 - vlan 6 - .129/25 (bulk) fxp2: 192.168.0.1/24 I enabled dhcpd with a subnet for fxp2 .. no problem here as well. However, when I enable NAT... I am facing a design issue. I can run natd just fine at the moment, but I got it to work in what seems to me in a not so great fashion... I'm hopeing that somebody might have a recommendation for me1 Current setup: natd.conf: alias_address ---.---.---.14 unregistered only ipfw rule (early on): divert natd ip from any to any via fxp0 Problem: traffic for other subnets go through natd? It seems like this would force natd to work much harder then it needs to, not my ideal situation. Attempted setups (variants of the following): ifconfig fxp0 inet ---.---.---.13 netmask 0xffffffff +alias natd.conf: alias_address ---.---.---.13 ipfw rule (early on): # incomming traffic of the public network gets translated. divert natd ip from 192.168.0.0/24 to any via fxp2 # incomming traffic for the public network gets translated. divert natd ip from any to ---.---.---.13 Problem(s): - can't see any traffic "host ---.---.---.13" via fxp0 - With a computer connected to fxp2 (address from dhcp), I can ping 192.168.0.1, the other IPs of the router box, but pings to other equipment time out. natd.conf with reverse? crashes, looks like the bug "natd coredumps with -reverse due to bug in libalias" (http://www.freebsd.org/cgi/query-pr.cgi?pr=76839) hasn't been patched in 5.4-STABLE? If anybody has any suggestions for this where I don't end up with all the traffic going through natd, I'd greatly appreciate them!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2402.161.53.212.4.1112944403.squirrel>