Date: Mon, 26 Feb 2001 12:22:56 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: "Brent B. Powers" <fbsdq@b2pi.com> Cc: freebsd-questions@freebsd.org Subject: Re: With natd server, can't hit my own static IP's Message-ID: <20010226122256.A30738@rfx-216-196-73-168.users.reflex> In-Reply-To: <15002.922.799479.686056@Sophie.B2Pi.com>; from fbsdq@b2pi.com on Mon, Feb 26, 2001 at 02:19:54AM -0500 References: <bulk.28868.20010220215952@hub.freebsd.org> <20010221004746.Y62368@rfx-216-196-73-168.users.reflex> <15000.46171.122193.363607@Sophie.B2Pi.com> <20010225161353.S89396@rfx-216-196-73-168.users.reflex> <15001.58315.328789.634063@Sophie.B2Pi.com> <20010225212349.Y89396@rfx-216-196-73-168.users.reflex> <15002.922.799479.686056@Sophie.B2Pi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 26, 2001 at 02:19:54AM -0500, Brent B. Powers wrote: > >>>>> "Crist" == Crist J Clark <cjclark@reflexnet.net> writes: > > Crist> On Mon, Feb 26, 2001 at 12:04:11AM -0500, Brent B. Powers > Crist> wrote: > >> >>>>> "Crist" == Crist J Clark <cjclark@reflexnet.net> writes: > >> > Crist> On Sun, Feb 25, 2001 at 02:29:31AM -0500, Brent B. Powers > Crist> wrote: [snip] > >> <snip> > >> > Crist> I think I see what is going on here. That rule 350 was a > Crist> bad idea on my part. Replies from 192.168.1.186 do not get > Crist> put through NAT. What does, > >> > Crist> 00350 divert 8669 ip from any to any via rl0 > >> > Crist> And running the internal natd with the '-reverse' option > Crist> do? > >> Ummm, prevents all machines other than the gateway from > >> connecting with each other, or anything. When I reverse the > >> order of the nat rules, not much that's better happens, but it > >> also nat's packets from the outside world (effectively > >> reversing the original nat). > > Crist> Oh, yeah. Did I not say to turn off NAT on the external > Crist> interface and only run it inside? > > Ummm, huh??? In that case, won't the gateway (which has aliases for > all 8 of the static IP's I care about) just eat any packet bound from > the outside for one of those 8, and they (the packets bound for my > non-gateway servers) w'll never hit the interior interface. Yeah, just ignore the stupid suggestions. I was focusing only on the interior problem and forgot that you need to still reach the outside world. Forest. Trees. Can't see. Yada-yada. > <snip> > > > >> I am beginning to wonder if this is actually possible via > >> FreeBSD. You may recall from a couple of months ago when I was > >> asking how to cause a server to act as a direct bridge (in > >> other words, for any packet for an IP that it got on one nic > >> that was not it's own, throw the packet out the other > >> nic. Then, with the proper arp proxying, this whole scenario > >> works. > > Crist> Doing NAT on a bridge? That be whack. > > That's the point... you don't do nat. the gateway just arp proxies the > ip's, and shuffles the packets to the correct addresses (which are > directly connected to the interior IP). Well, if you were doing bridging, you are best off not giving one of the interfaces an IP address (helps people remember they only have one logical network). Without going to the old mail, which sorry, no, I do not recall, why are you not using a bridge(4)? But to take another step back, everything is working just fine except for the fact that internal machines cannot reach a redirected address? Running a natd on each interface will work. Just don't try to get too clever with the inner one like I did (or be clever enough). I'm giving up before I make more trouble. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010226122256.A30738>