Freebsd NAT/Router design question/issue

• Previous message: Gennady Proskurin: "bge hardware vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 8 Apr 2005 09:13:23 +0200 (CEST)
To: freebsd-net@freebsd.org

Good day,

I've built up a freebsd router (no problems there) using 5.4-STABLE built
after a cvsup 3 days ago.

The router has three network cards (all fxp), and it routes mainly between
a variety of subnets (using vlans) on fxp1, to a seperate subnet on fxp0.
fxp2 has a private address (192.168.0.1/24) and it shall be our "public
area" connection.

(the main router, sitting at .1, routes to .14 for anything other then .0/28)

So, in short it looks like this:
default gateway: .1
fxp0: .14/28 (servers)
fxp1 - vlan 3 - .17/28 (network printers)
...
fxp1 - vlan 6 - .129/25 (bulk)
fxp2: 192.168.0.1/24

I enabled dhcpd with a subnet for fxp2 .. no problem here as well.

However, when I enable NAT... I am facing a design issue. I can run natd
just fine at the moment, but I got it to work in what seems to me in a not
so great fashion... I'm hopeing that somebody might have a recommendation
for me1

Current setup:
natd.conf:
alias_address ---.---.---.14
unregistered only

ipfw rule (early on):
divert natd ip from any to any via fxp0

Problem: traffic for other subnets go through natd? It seems like this
would force natd to work much harder then it needs to, not my ideal
situation.

Attempted setups (variants of the following):

ifconfig fxp0 inet ---.---.---.13 netmask 0xffffffff +alias

natd.conf:
alias_address ---.---.---.13

ipfw rule (early on):
  # incomming traffic of the public network gets translated.
divert natd ip from 192.168.0.0/24 to any via fxp2
  # incomming traffic for the public network gets translated.
divert natd ip from any to ---.---.---.13

Problem(s):
 - can't see any traffic "host ---.---.---.13" via fxp0
 - With a computer connected to fxp2 (address from dhcp), I can ping
192.168.0.1, the other IPs of the router box, but pings to other
equipment time out.

natd.conf with reverse? crashes, looks like the bug "natd coredumps with
-reverse due to bug in libalias"
(http://www.freebsd.org/cgi/query-pr.cgi?pr=76839) hasn't been patched in
5.4-STABLE?

If anybody has any suggestions for this where I don't end up with all the
traffic going through natd, I'd greatly appreciate them!

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Gennady Proskurin: "bge hardware vlan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: NATD Port Forwarding question ... It is a Windows 2000 Server machine that I can connect to both on ... services on the 2000 Server box such as telnet or ftp for example. ... Subject: NATD Port Forwarding question ... TSG Network Administration ... (freebsd-questions) Re: vpn vs natd ... Ipfw is used to divert packets to the natd process usually by an any to any ... The technique can be extended to as many nodes (each with a network behind ... it) as you want for the VPN. ... (FreeBSD-Security) Re: Port forwarding with router, natd and firewall ... > not the target). ... You want natd to handle it instead. ... NIC connected to the router. ... the FreeBSD gateway sees the router as 192.168.1.4. ... (comp.unix.bsd.freebsd.misc) Re: NAT problem with public network ... Run natd on xl2 with -reverse option ... JA> Internal network but not nating the DMZ ... JA> and to get nat to work I just use: ... JA> ipfw add divert natd log all from any to any via xl0 ... (freebsd-net) Running two natd on ipfw firewall ... Trying to implement an additional T1 into a fbsd firewall. ... The current default route is the cisco router. ... Looking at some of the post regarding dual natd, ... (comp.unix.bsd.freebsd.misc)