Date: Mon, 27 Jan 2003 22:42:07 -0700 (MST) From: Nick Rogness <nick@rogness.net> To: Vikash Badal - PCS <VikashB@ComparexAfrica.co.za> Cc: "'freebsd-questions@FreeBSD.ORG'" <freebsd-questions@FreeBSD.ORG> Subject: Re: Source nat question (ipfw and natd) Revised Message-ID: <20030127221735.S64691-100000@skywalker.rogness.net> In-Reply-To: <501BF453CDCFD111A6E40080C83DAC04E4C219@PSICS001>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 28 Jan 2003, Vikash Badal - PCS wrote: > Greetings, > > My current natd.conf is as follows : > -------------------------------------------------------------- > redirect_address 10.136.236.18 192.168.28.61 > redirect_address 10.136.236.20 192.168.20.47 > redirect_address 10.136.236.19 192.168.21.47 > ------------------------------------------------------------- > When i add the following maping : > redirect_address 10.136.236.18 192.168.15.47 > the source address for connections to 192.168.15.0/24 > is 192.168.25.61 > > what I want to do is : if i initiate a connection to 192.168.15.0/24 > from 10.136.238.18 then i need the source address to be 192.168.15.47 > > If i initiate a connection to 192.168.28.0/24 from 10.136.238.18 then i > need the source address to be 192.168.28.61 > > network layout > > 192.168.16.0:255.255.240.0 --------------- > 192.168.15.0:255.255.255.0 ---| | > | | > | HUB | > | | > vx0 === 192.168.15.47 (alias address) 192.168.28.61 > > xl0 === 10.136.236.5 > | > | > | > 10.136.236.0/24 > > > The machines on 192.168.x.x only hit 10.136.236.[18/19/20] > depending the application required. The source address of packets > from the 192.168.x.x remains unaltered. > > The machines on the 10.136.236.0 network have a static route > to the 192.168.x.x network. > > The translations work for : > 10.136.236.20 to 192.168.20.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.28.61 > 10.136.236.19 to 192.168.21.0/24 i.e > the 192.168.20.0/24 sees the source as 192.168.20.47 > > When i try to connect from 10.136.236.18 to 192.168.15.0/24, > the source address is 192.168.28.61. I needed the source > address to be 192.168.15.47 only when i connect to 192.168.15.0/24 > > If i change the order of the redirect rules in /etc/natd.conf : > i.e > redirect_address 10.136.236.18 192.168.15.47 > is place before > redirect_address 10.136.236.18 192.168.28.61 > > then the translation to 192.168.28.0/24 no longer works but the > translation for 192.168.15.0/24 works. Yes, this is true as it will use the first entry in natd.conf for the translation. The problem is, you are thinking of the translations backwards. Are only 3 machines on the 10.136 segment talking to only 3 machines on the 192 segment? Does communication have to go both ways, ie. do the 192.168 machines need to talk to 10.136 machines? Also, you can run multiple copies of natd for the same interface (different port needed) and direct packets to the different natds based on the firewall rules applied: Firewall rules and Corresponding Natd #1( on port 8668): # ipfw divert 8668 ip from 10.136.236.18/32 to 192.168.15.0/24 out via vx0 # ipfw divert 8668 ip from 192.168.15.0/24 to 192.168.15.47/32 in via vx0 # natd -p 8668 -n vx0 -redirect_address 10.136.236.18 192.168.15.47 Firewall rules and Corresponding natd #2 (port 8669): # ipfw divert 8669 ip from 10.136.236.18/32 to 192.168.28.0/24 out via vx0 # ipfw divert 8669 ip from 192.168.28.0/24 to 192.168.28.61/32 in via vx0 # natd -p 8669 -n vx0 -redirect_address 10.136.236.18 192.168.28.61 Nick Rogness <nick@rogness.net> - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030127221735.S64691-100000>