Problem with IPFilter/IPNAT
From: Odhiambo Washington (wash_at_wananchi.com)
Date: 07/30/05
- Previous message: Nikolas Britton: "Re: onboard ethernet support"
- Next in thread: Alex de Kruijff: "Re: Problem with IPFilter/IPNAT"
- Reply: Alex de Kruijff: "Re: Problem with IPFilter/IPNAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 30 Jul 2005 13:41:52 +0300 To: freebsd-questions@freebsd.org
I am using IPFilter and IPNat on several FreeBSD boxes. They are mostly
configured the same.
Each box has two interfaces, public and internal, and acts as a router
to the LAN which is 'behind' it. The LAN machines use the FreeBSD as the
gateway, as well as a DNS server. I run cache-only config.
The problem I have is that when, for any reason, the public link goes
down, the machines on the LAN timeout when communicating. I can simulate
this by simply pulling out the connection from the $ext_iface (assume
this is ADSL or something like that) which is connected to the ISP
upstream.
I don't know if it is my NAT configuration causing this. Here is the
/etc/ipnat.rules that I use:
I'd want a situation where network communications within the LAN
should not be affected when the circuit to the ISP is down since
it is only used for web traffic and for the mail server on the
FreeBSD router to send outbound e-mails, not local e-mails.
<cut>
# rl0 is the internal interface. rl1 is external interface.
# These redirection rules are to force users on the LAN
# to go through Squid cache.
# First we let this machine access itself because there is a web server
# on it.
# Redirect direct web traffic to local web server.
rdr rl0 192.168.100.31/32 port 80 -> 192.168.100.31 port 80 tcp
rdr rl0 192.168.100.31/32 port 443 -> 192.168.100.31 port 443 tcp
# Transparently redirect all outgoing web traffic through squid on
# port 3128
rdr rl0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
# Also all SMTP Connections must go via localhost
rdr rl0 0.0.0.0/0 port 25 -> 127.0.0.1 port 25
# Now do NAT, but only for packets that are NOT local.
map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32 portmap tcp/udp auto
map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32
</cut>
What am I missing or doing wrong here???
-Wash
http://www.netmeister.org/news/learn2quote.html
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
Due to lack of disk space, this fortune database has been
discontinued.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Nikolas Britton: "Re: onboard ethernet support"
- Next in thread: Alex de Kruijff: "Re: Problem with IPFilter/IPNAT"
- Reply: Alex de Kruijff: "Re: Problem with IPFilter/IPNAT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
