From owner-freebsd-questions Sun May 28 10: 4:49 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id C973037B672 for ; Sun, 28 May 2000 10:04:45 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id NAA55991; Sun, 28 May 2000 13:04:34 -0400 (EDT) (envelope-from cjc) Date: Sun, 28 May 2000 13:04:33 -0400 From: "Crist J. Clark" To: Andrew Shahoff Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Ipfw + natd Message-ID: <20000528130433.D55597@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from shahoff@latnet.lv on Sun, May 28, 2000 at 06:12:35PM +0300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, May 28, 2000 at 06:12:35PM +0300, Andrew Shahoff wrote: > > 1) What I have: /real lan/ed1 with 2 real IP`s from one > subnet/freebsd4.0/ed0 with 2 fake ip`s from 2 diference subnets > 2) What I need : I need divert first fake net to first real IP , and divert > second fake subnet to second real ip OK, I think I understand this. Not sure _why_ you'd want to do this when both of the logical private networks are the same physical network, but I guess you must have a reason. > 3) What I do : start 2 natd`s ( with diferent ports ) > /sbin/natd -p 8668 -u -a ${firstreal} > /sbin/natd -p 8669 -u -a ${secondreal} > > write in rc.firewall rules like that > > ${fwcmd} add 10 divert 8668 all from 10.0.0.0/24 to any via > ${firstreal} > ${fwcmd} add 20 divert 8669 all from 10.0.1.0/24 to any via > ${secondreal} > ${fwcmd} add pass all from any to any > > And all , nothing work ( if I write ${fwcmd} add 10 divert 8668 all from > any to any via ${firstreal} all work but only thrue ${firstreal} ) > > Where is error ? Well, nothing coming back in would be handled correctly. Say you try to start a connection out from one of your private networks. I believe the packet gets aliases properly leaving, but when a reply comes back, it has a source of the remote machine you are trying to connect with and the destination of the NAT box, it is never going to trigger either of those divert rules. Another problem, I believe 'via ${firstreal}' and 'via ${secondreal}' actually mean the same thing in your case. From ipfw(8), via ipno Packet must be going through the interface having IP address ipno. And for both of these IP addresses we are in ed1. Hmmm... How to get this to work... How about, ${fwcmd} add 10 divert 8668 all from any to ${firstreal} recv ed1 ${fwcmd} add 20 divert 8669 all from any to ${secondreal} recv ed1 ${fwcmd} add 30 divert 8668 all from 10.0.0.0/24 to any xmit ed1 ${fwcmd} add 40 divert 8669 all from 10.0.1.0/24 to any xmit ed1 No promises. That's off the top of my head, but I think it at least shows what I think you need to do. You need to pass the incoming packets to the proper natd process by checking their destination IP. Outgoing packets need to be checked by their source address. Use recv and xmit to tell the difference between incoming and outgoing. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message