Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Aug 2003 23:38:57 +0200
From:      Johannes Angeldorff <johannes2@smartnet.se>
To:        freebsd-questions@freebsd.org
Subject:   ipfw / natd does not allow lan traffic to reach external numbers
Message-ID:  <a05200f04bb596ccc3dcf@[192.168.0.3]>
next in thread | raw e-mail | index | archive | help 
Hi,

I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here 
a list with some details:

*) The FreeBSD box uses natd and ipfw, and have two external IP:s, 
lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.

*) natd is used to redirect access to external IP addresses and ports 
to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, 
where for example webservers are located.

*) natd rules:

natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20
-redirect_port tcp 192.168.0.21:25-52 25-52
-redirect_port udp 192.168.0.21:25-52 25-52
-redirect_port tcp 192.168.0.30:80 80
-redirect_port udp 192.168.0.30:80 80
-redirect_port tcp 192.168.0.21:54-79 54-79
-redirect_port udp 192.168.0.21:54-79 54-79
-redirect_port tcp 192.168.0.21:81-722 81-722
-redirect_port udp 192.168.0.21:81-722 81-722
-redirect_port tcp 192.168.0.21:3306-4559 3306-4559
-redirect_port udp 192.168.0.21:3306-4559 3306-4559"

*) ipfw lets things through:

00050 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any

Problem:
Most things works just fine, external access are redirected to 
correct ports, and the webservers work just fine. BUT the problem 
comes when a box on the LAN tries to reach a site residing on 
192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get 
error: "Unable to connect to remote host". Connecting from a LAN 
machine to the same site using the _internal_ IP works fine. 
Connecting to other external IPs also works fine.

I want to be able to connect from LAN boxes to the external IP:s, for 
example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very 
thankful for all comments on this matter.

Regards,
Smartnet Sverige AB

Johannes Angeldorff

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a05200f04bb596ccc3dcf>