Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 May 2000 13:04:33 -0400
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Andrew Shahoff <shahoff@latnet.lv>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Ipfw + natd
Message-ID:  <20000528130433.D55597@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <NDBBIANAAMLPPFKCKNFIEEFKCAAA.shahoff@latnet.lv>; from shahoff@latnet.lv on Sun, May 28, 2000 at 06:12:35PM %2B0300
References:  <NDBBIANAAMLPPFKCKNFIEEFKCAAA.shahoff@latnet.lv>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 28, 2000 at 06:12:35PM +0300, Andrew Shahoff wrote:
> 
> 1) What I have:    /real lan/ed1 with 2 real IP`s from one
> subnet/freebsd4.0/ed0 with 2 fake ip`s from 2 diference subnets
> 2) What I need : I need divert first fake net to first real IP , and divert
> second fake subnet to second real ip

OK, I think I understand this. Not sure _why_ you'd want to do this
when both of the logical private networks are the same physical
network, but I guess you must have a reason.

> 3) What I do : start 2 natd`s ( with diferent ports )
>  	/sbin/natd -p 8668 -u -a ${firstreal}
>  	/sbin/natd -p 8669 -u -a ${secondreal}
> 
>  write in rc.firewall rules like that
> 
>         ${fwcmd} add 10 divert 8668 all from 10.0.0.0/24 to any via
> ${firstreal}
>         ${fwcmd} add 20 divert 8669 all from 10.0.1.0/24 to any via
> ${secondreal}
>  	  ${fwcmd} add pass all from any to any
> 
> And all , nothing work ( if I write  ${fwcmd} add 10 divert 8668 all from
> any to any via ${firstreal} all work but only thrue ${firstreal} )
> 
> Where is error ?

Well, nothing coming back in would be handled correctly. Say you try
to start a connection out from one of your private networks. I believe
the packet gets aliases properly leaving, but when a reply comes back,
it has a source of the remote machine you are trying to connect with
and the destination of the NAT box, it is never going to trigger
either of those divert rules.

Another problem, I believe 'via ${firstreal}' and 'via ${secondreal}'
actually mean the same thing in your case. From ipfw(8),

             via ipno  Packet must be going through the interface having IP
                       address ipno.

And for both of these IP addresses we are in ed1.

Hmmm... How to get this to work... How about,

  ${fwcmd} add 10 divert 8668 all from any to ${firstreal} recv ed1
  ${fwcmd} add 20 divert 8669 all from any to ${secondreal} recv ed1
  ${fwcmd} add 30 divert 8668 all from 10.0.0.0/24 to any xmit ed1
  ${fwcmd} add 40 divert 8669 all from 10.0.1.0/24 to any xmit ed1

No promises. That's off the top of my head, but I think it at least
shows what I think you need to do. You need to pass the incoming
packets to the proper natd process by checking their destination
IP. Outgoing packets need to be checked by their source address. Use
recv and xmit to tell the difference between incoming and outgoing.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000528130433.D55597>