Date: Sat, 10 Jan 2004 10:08:14 -0800 From: "Aaron Burke" <aburke@nullplusone.com> To: "afshin" <afshinbsdbox@yahoo.com>, <freebsd-net@freebsd.org> Subject: RE: 3NIC+ 2NAT Message-ID: <AMEMKJNMFLJCJDLFIEDBIEBLFMAA.aburke@nullplusone.com> In-Reply-To: <20031230200830.59615.qmail@web21506.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I have 3 Nics lets name them NIC1-NIC2-NIC3
> NIC1 --> Internal Network /24
> NIC2 --> OutSide World (A)
> NIC2 --> OutSide World (B)
I have a similar situation (I think). I also have two seperate
connections to the internet.
fxp0: 11.22.33.44 gateway 11.22.33.1
fxp1: 66.77.88.99 gateway 66.77.88.1
fxp2: 192.168.0.1/24
>
> I want to NAT NIC1/25 on NIC2 and NIC1(128)/25 on
> NIC3.
Are you saying that you want certain packets to leave through NIC1,
and others to leave through NIC2? If this is the case, I dont have
a solution. However, if you have two connections in case one goes
down, then read on.
> But the FreeBSD 4.8 Doesn't fo it on both interfaces
> it does just on the one that the default gateway (of
> the 4.8 with 3 NIICs)refers to.
> I Have Entered:
> # natd -interface NIC2
> # natd-interface NIC3 (This Gives Error)
> and Using "ipnat"
I am guesing that you want to create a semi-redundant connection to
the internet. For those occations when one of the interfaces goes down.
The problem with doing all of this in /etc/rc.conf is that the other
rc files only expect one interface to be the default. There are several
things that need to be considdered for this to work. And the bad news
is that when one of the interfaces goes down, I still have to manually
change the default gateway. The good news is that its all the work that
has to be done.
>
> Any comments is appreciated so much
> Regards,
My comments are my solution, which works great, except that I still
have to manually change the default route to get it to work.
Please let me know if I am off track here.
Step 1: Comment out the lines in /etc/rc.conf that control natd. I
have created a script placed in /usr/local/etc/rc.d/fxp0-natd.sh and
/usr/local/etc/rc.d/fxp1-natd.sh .
Step 2: I edited /etc/services and added the following line.
(I am unsure if this was needed, but I added it just to be safe)
natd2 8669/divert # Network Address Translation
Step 3: I created the following files that actually start up natd
on each internet connected interface. Notice that one uses 8668 (natd)
and one uses 8669 (natd2)
(This may get destroyed by an email client, so I have attached them
both. Just to be safe)
# /usr/local/etc/rc.d/fxp0-natd.sh with execute bit set
#!/bin/sh
if [ $# -eq 0 -o x$1 = xstart ]; then
/sbin/natd -p natd -s -u -f /etc/natd.conf -n fxp0 && echo -n ' natd
started on fxp0 (Cable)'
cp /var/run/natd.pid /var/run/natd.fxp0.pid
fi
if [ x$1 = xstop ]; then
if [ -f /var/run/natd.fxp0.pid ]; then
kill `cat /var/run/natd.fxp0.pid`
else
# oh well
# killall natd (dont want to do this)
fi
fi
# /usr/local/etc/rc.d/fxp1-natd.sh with execute bit set
#!/bin/sh
if [ $# -eq 0 -o x$1 = xstart ]; then
/sbin/natd -p natd2 -s -u -f /etc/natd.conf -n fxp1 && echo -n ' natd
started on fxp1 (DSL)'
cp /var/run/natd.pid /var/run/natd.fxp1.pid
fi
if [ x$1 = xstop ]; then
if [ -f /var/run/natd.fxp1.pid ]; then
kill `cat /var/run/natd.fxp1.pid`
else
# oh well
# killall natd (dont want to do this)
fi
fi
Step 4: Now I need to tell my firewall that I am running natd on each
interface. I am using ipfw.
ipfw add divert 8668 ip from any to any via fxp0
ipfw add divert 8669 ip from any to any via fxp1
Step 5: FreeBSD will still send out icmp packets out the default
gateway. I wanted to avoid this for two reasons. One of my ISP's
blocks icmp messages for clients that dont belong on its network.
And second because I want packets that come in one interface to
leave on the same one. The next two rules use the following format.
# default gateway from your ip address
ipfw add fwd 66.77.88.1 ip from 66.77.88.99 to any via fxp0
ipfw add fwd 11.22.33.1 ip from 11.22.33.44 to any via fxp1.
Notice that the via interface is using the ethernet interface of the
other card. This means that if Cable (fxp0) is the default gateway,
and a packet came in through the DSL interface (fxp1), send it to that
host via fxp1 instead of out the default gateway attached to fxp0.
Listing the opposite rule works to my advantage when I am using DSL
as my default gateway. That way Cable modem (fxp0) packets still leave
on fxp0.
>
> AFShin (AAS)
>
> "FreeBSD is the Best Performance OS Ever Made!"
FreeBSD has some major uses. I think its a great networking OS.
But its not really a great desktop OS. But those people have
several choices available to them. (Windows, MacOS, Linux, etc.)
aburke@nullplusone.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AMEMKJNMFLJCJDLFIEDBIEBLFMAA.aburke>