Re: Reverse IP NAT to secondary IP address

• Previous message: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• In reply to: Nils Vogels: "Reverse IP NAT to secondary IP address"
• Next in thread: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• Reply: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Nils Vogels <nivo+dated+1067540755.d82241@yuckfou.org>
Date: Sun, 26 Oct 2003 08:07:36 +0300 (MSK)

>>configure port with SNMP-server as 192.168.0.17/30 for example
>>instead 192.168.2.1/24, and
>>sysctl net.link.ether.inet.proxyall=1
>>
>>and configure SNMP-server as 192.168.0.18/24
>>
>>If you can change mask of SNMP-server, you can
>>use 192.168.0/24 and 192.168.1/24 on gateway
>>and 192.168.0/25 on SNMP-server.
>>
>>
>Since I have the internet on the same interface, but on the primary IP
>instead, would enabling ARP PROXY not fill the ARP table with every host
>on the internet, that tries to contact the gateway ?
Are you using default route?
If yes, only default router's MAC used for every external IP.

>>No NAT is needed.
>>
>I just tried this, but unfortunately, the same thing happens as with
>ipfilter:
>
>The primary address of the interface ed0 on the gateway (the public
>adress) is used to forward the arp request.
>
>Taken from a dump on the gateay, when attempting telnet:
>
>Incoming on rl0:
>03:35:05.867883 192.168.0.2.1511 > 192.168.2.2.23: S
>1377718084:1377718084(0) win 57344 <mss 1460> (DF) [tos 0x10]
>
>Outgoing on ed0:
>03:35:05.868333 195.0.0.1.15009 > 192.168.2.2.23: S
>1377718084:1377718084(0) win 57344 <mss 1460> (DF) [tos 0x10]
No NAT is needed.
Just allow 192.168.0.2 <-> 192.168.2.2 flow directly,
not via NAT

>Since 195.0.0.1 (obviously obfuscated) does not fall within the subnet
>the 192.168.2.2 box is on, there will never be a reply from the
>192.168.2.2 box.
If you delete NAT on 192.168.0.2 <-> 192.168.2.2 path
and wide mask on SNMP server, there will be reply.
Or renumber subnet with SNMP server in such a way,
that it be a subnet of net with WWW server.
See my previous post with example.

For ARP lookup you can try swap primary IP
and alias (warning!) or use staric arp for
SNMP server.

>ARP proxying goes fine, on the WWW box, I can see the proxied reply
>coming from my gateway for the 192.168.1.1 address .....
>
>Can anyone tell me, how I can make the box use the secondary address
>(alias) automatically for forwarding the telnet session?
>Could it be that since the gateway is running many-to-one NAT as well,
>this is conflicting ?

you can fire up a lot of natd (this is one of my routers:
0sw~(2)>ps -axww | grep natd
44888 ?? Ss 31:11,88 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.100.pid -a IP0 -i 100 -o 101 -d
44890 ?? Ss 24:21,38 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.102.pid -a IP1 -i 102 -o 103 -d
44892 ?? Ss 36:25,68 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.104.pid -a IP2 -i 104 -o 105 -d
44894 ?? Ss 50:31,52 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.106.pid -a IP3 -i 106 -o 107 -d
44896 ?? Ss 26:42,38 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.108.pid -a IP4 -i 108 -o 109 -d
44898 ?? Ss 18:08,56 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.110.pid -a IP5 -i 110 -o 111 -d
44900 ?? Ss 27:32,76 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.112.pid -a IP6 -i 112 -o 113 -d
44902 ?? Ss 71:10,05 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.114.pid -a IP7 -i 114 -o 115 -d
44904 ?? Is 0:46,65 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.98.pid -a IP8 -i 98 -o 99 -d
where real IPs substituted by IPx.
You are free to use IPs from some of
interfaces or IPs which none interface has,
You can use the same IP for different natd
or not - just write the appropriate rules
in ipfw. For example use one natd
for proxing one port with selected paig of addresses.

But again: there is not need for NAT in
circumstances you wrote in first letter.

Sorry my English is bad.

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• In reply to: Nils Vogels: "Reverse IP NAT to secondary IP address"
• Next in thread: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• Reply: Nils Vogels: "Re: Reverse IP NAT to secondary IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]