Date: Fri, 1 Mar 2002 14:34:54 -0800 (PST) From: Dennis Holmes <dholmes@liberator.dyndns.org> To: Kevin.Pieckiel@VirginiaDOT.org (Pieckiel Kevin A) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd woes Message-ID: <200203012234.OAA66398@star-one.liberator.dyndns.org> In-Reply-To: <5A617D4D38B5D51192AA0060081849455DD827@501sumail1.vdot.state.va.us> from "Pieckiel, Kevin A" at "Mar 1, 2002 1:10:39 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Look what Pieckiel, Kevin A wrote: > I am desperately trying to get natd working, but nothing I try works. > > Freebsd 4.5-Stable, IPFIREWALL and IPDIVERT enabled in kernel config. > rc.conf contains GATEWAY=YES & FIREWALL=YES. > ipfw rules are as follows: > > 00500 divert 8668 tcp from any to any via 159.169.40.2 > 65535 allow ip from any to any > > PC has two NICs and a modem. NIC1 is 10.5.51.20, NIC2 is 159.169.40.2. > 10.5.51.20 and 159.169.40.2 are on the same physical network. NIC2 is > the ONLY computer in it's subnet save a cisco 4000 router that can > route traffic between my two subnets. This cisco 4000 also connects > my LAN to the company's state-wide WAN. > > The modem dials up to a video web server connected to a camera via > ppp. We will use this black box web server to control the camera and > get still image captures. The modem is assigned an IP of 192.168.0.100, > the camera is on 192.168.0.10, and the dialup box is 192.168.0.1 (which > is the camera's default gateway). I do NOT set the gateway of the > dialup computer to 192.168.0.1 as if I were calling an ISP. I do not > want this behavior. I need the default gateway to stay where it is so > that I can still get to the rest of my WAN and the Internet. > > Here's what works: > PPP enabled as follows-- > ppp -nat -ddial cameraserver > > static route added-- > route add 192.168.0.0/24 192.168.0.1 > > Win2K PC on LAN (10.5.51.18) gets route added-- > route add 192.168.0.0 mask 255.255.255.0 10.5.51.20 > > Make http connection in browser to http://10.5.51.20 > and I can connect to my camera like I expect to be able to. > > Here's what doesn't work: > This machine is not a gateway, and it is not possible to set routes > on clients or routers to specifically add 192.168.0.0 to point to > this machine as I did in the above setup. I want to redirect traffic > sent to 159.169.40.2 (since the whole WAN can get to that as is) to > my camera at 192.168.0.10. > > I have tried every concievable way to use natd, with and without the > -nat option to PPP, but cannot get clients to connect by pointing > their browsers to 159.169.40.2. > > > /etc/ppp/ppp.conf: > default: > set device /dev/cuaa0 > set speed 115200 > disable pred1 > deny pred1 > disable lqr > deny lqr > set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 4 \"\" ATZ OK-ATZ-OK > ATDT\\T TIMEOUT 60 CONNECT" > set redial 100 5 > > cameraserver: > set authname xxx > set authkey xxx > set phone 9,pri-vate > set timeout 0 > set openmode active > accept chap > set ifaddr 127.1.1.1/0 127.2.2.2/0 0.0.0.0 0.0.0.0 > > I don't know what other info you might need to help me get this working. > Any help > you could offer would be GREATLY appreciated. > > Thanks, > Kevin A. Pieckiel > I haven't used the -nat option to ppp. Since you're using ppp on the back end (dialing into a private network) and this option would be used most commonly to provide service to a private LAN when dialing into the Internet, my inclination would be to use natd independently of ppp. The natd rule you need would be: redirect_address 192.168.0.10 159.169.40.2 and you'd specify NIC2 as the interface to natd. In any case, your PC must be configured as a gateway in order to forward the packets to and from the camera. This just means that it will forward packets, not that it has to be listed in the routing table of another system. It sounds like this already is/was the case given your working example. Incidentally, if your two NICs are on the same physical network (same broadcast domain), this can be done with a single physical NIC by aliasing one of the addresses and fiddling with the ipfw divert rules. +----------------+-------------------+------------------------------------+ | Dennis Holmes | dholmes@rahul.net | "We demand rigidly defined | | San Jose, CA +-------------------+ areas of doubt and uncertainty!" | +------=>{ Meanwhile, as Ford said: "Where are my potato chips?" }<=------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203012234.OAA66398>