Date: Wed, 13 Mar 2002 19:36:13 -0800 (PST) From: Dennis Holmes <dholmes@liberator.dyndns.org> To: amour@blade.elitsat.net (Alexander) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Question about natd ... Message-ID: <200203140336.TAA02006@star-one.liberator.dyndns.org> In-Reply-To: <20020312191511.K84355-100000@blade.elitsat.net> from Alexander at "Mar 12, 2002 7:22: 8 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Look what Alexander wrote:
> Hello,
>
> I'm running FreeBSD 4.3-RELEASE
> I'm using it to masquerade my internal network.
> The router has 1 real ip address on the external interface
> and on the internal there is a local network (192.168.30.0/24)
> I have 8 more real-ip addresses and I want to group some of the
> internal ip addresses to masquerade to the internet with one of the
> real, other internal with other external ...
> for example:
> 192.168.30.100-120 with X.Y.Z.209
> 192.168.30.240-245 with X.Y.Z.210
> 192.168.30.60-70 with X.Y.Z.212
>
> Is this possible with one router ?!
> Like some simple natd configuration ?
pS [pre-script :-)]: I wrote all of the below before remembering that
natd's redirect_address option has a multiple-address form (see the natd man
page). Try this first, since it's much easier and cleaner than the idea
below.
Don't know if it is the only way, but this should be possible using
multiple natd's running on different ports.
Configure the additional external addresses to use as aliases on your
external network interface in /etc/rc.conf.
Start up a natd for each group, each running on a different port. You
might try doing this by setting natd_program in /etc/rc.conf to be a
script like the following, so that the natd's get started at the right
time in the startup sequence.
#natd startup sample
natd -p 8668 -config /etc/natd1.conf -a X.Y.Z.209
natd -p 8669 -config /etc/natd2.conf -a X.Y.Z.210
natd -p 8670 -config /etc/natd3.conf -a X.Y.Z.212
Next is the ugly part. Add rules in /etc/rc.firewall to divert
traffic to and from each address to the appropriate natd. If you
define your groups so that they look like subnets, you may be able to
simplify this greatly. Instead of having a separate rule for each
internal address, you'd have a rule for each group with source address
specified as 192.168.30.100/28, for example.
#rc.firewall sample
# group 1
ipfw add divert 8668 ip from 192.168.30.100 to any
ipfw add divert 8668 ip from 192.168.30.101 to any
...(continue for all addresses to be mapped to X.Y.X.209)
ipfw add divert 8668 ip from any to X.Y.Z.209
# group 2
ipfw add divert 8669 ip from 192.168.30.240 to any
...(continue for all addresses to be mapped to X.Y.X.210)
ipfw add divert 8669 ip from any to X.Y.Z.210
# group 3
ipfw add divert 8670 ip from 192.168.30.60 to any
...(continue for all addresses to be mapped to X.Y.X.212)
ipfw add divert 8670 ip from any to X.Y.Z.212
+----------------+-------------------+------------------------------------+
| Dennis Holmes | dholmes@rahul.net | "We demand rigidly defined |
| San Jose, CA +-------------------+ areas of doubt and uncertainty!" |
+------=>{ Meanwhile, as Ford said: "Where are my potato chips?" }<=------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203140336.TAA02006>