Re: NATD and Address Redirection

From: Clement Laforet (sheepkiller_at_cultdeadsheep.org)
Date: 07/26/03

  • Next message: Jim Durham: "Re: NATD and Address Redirection" 
    Date: Sat, 26 Jul 2003 02:22:05 +0200
To: durham@jcdurham.com

    On Fri, 25 Jul 2003 13:49:38 -0400
    Jim Durham <durham@jcdurham.com> wrote:

    Hi,

    > I'm wondering about the characteristics of the redirect_address option
    >
    > of natd. I tried this on -questions, but no one replied, so I thought
    > I'd ask on here, hoping to find folks more familiar with kernel
    > mechanisms here.

    Except for DIVERT, there isn't any kernel mechanisms for address
    translatation.
     
    > Consider a FreeBSD NAT "gateway" between a public IP on one network
    > interface and a private "LAN" address on the 2nd interface serving a
    > group of windows machines on the LAN with private IPS.
    >
    > We wanted to allow outside access to one of the LAN machines.
    >
    > According to the documentation, as I read it, redirect_address sets up
    >
    > a "static NAT" which is symmetrical between a public address on the
    > outside interface of a FreeBSD machine and a machine on a private IP
    > attached to the "inside" or "LAN" network interface.
    >
    > The procedure we used was to alias a 2nd public address to the outside
    >
    > interface and use a redirect_address statement in natd.conf to
    > redirect connections to the new public IP to the inside machine.
    >
    > This doesn't seem to be symmetrical.
    <snip>
    >
    > I'm questioning whether the connection is really symmetrical?

    for incoming traffic, you must use -redirect_address, but for outgoing
    you have to set -alias_address.
    If you want to use a specific public IP to map incoming AND outgoing
    packets, you need to run 2 natd, using ipfw matching.

    regards,

    clem
    _______________________________________________
    freebsd-hackers@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
    To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

  • Next message: Jim Durham: "Re: NATD and Address Redirection"

    Relevant Pages

    • Re: multiple natd + ipfw, with 2 internal ips
      ... I have a little problem with my natd or ipfw configuration. ... Well you could if you set your internal interface to be in promiscuous mode and set proxy arp for that address ... is the next hop router, it uses ARP to find the MAC address of this router. ...
      (freebsd-net)
    • Re: Problem about ppp -nat
      ... do NAT before a check-state, so packets match dynamic rules after NAT. ... natd in /etc/rc.conf. ... More specifically the interface, here tun0, must exist before using ...
      (freebsd-questions)
    • RE: Routing With Two ISPs?
      ... >> on one interface, is there a way to make the outgoing packets from my ... First off, in /etc/services copy the natd line and rename it natd2, change ... the port number to 8669 as well. ... you have divert rules in place for both natd interfaces. ...
      (freebsd-net)
    • Re: Forward and NAT question
      ... Subject: Forward and NAT question ... If you're running NATD, you have at least 2 interfaces, this has to be ... access to the external interface where NATD is by default listening. ... - Packet is inbound via internal interface ...
      (freebsd-questions)
    • natd and ipfw external hangs
      ... em0 - external interface to the net 24.205.x.x ... natd seems to be doing the right thing. ... $IPFW 10 allow all from any to any via sk0 ... # Interface facing Public Internet ...
      (freebsd-questions)