selective NAT/gateway

---

• From: "Nathan Vidican" <nathan@xxxxxxxxxxxx>
• Date: Wed, 18 Oct 2006 10:22:42 -0400

---

Got a bit of an interesting question, wondering how others out there might
have dealt with this:

we have a single machine acting as router/firewall/nat gateway via DSL. It
routes a small (/29) subnet of static IP's to our servers, and routes
between internal (non-public) subnets. Internet traffic is then routed via
NAT translation over the PPPoE link. We then use a proxy server to cache
most of our web traffic. Works well, and has been for several years now but,
we need to be able to deny traffic through the NAT gateway based on IP
addresses or ranges. Given the following example:


Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE ->
192.168.0.1 + 192.168.1.1 + 192.168.2.1 + 192.168.3.1
(each of these private subnets is a physically different network, connected
via an independant ethernet interface - multiport intel 'fxp' cards)


Internal machines -> 192.168.0.100 - 192.168.0.200
Select Internal machines -> 192.168.0.10 - 192.168.0.50

Want to allow 192.168.0.10 through 192.168.0.50 full use of the gateway
(enabling internet access via NAT), but deny machines in the 192.168.0.100 -
192.168.0.200 range from using NAT - yet still allow them to use 'regular'
routes, (given the example below, want to allow 192.168.0.X to connect
to/from 192.168.3.X for instance).

So the long-question shortened, is how do I deny NAT traffic for specific IP
addresses, without blocking those addresses from routing through 'normal'
routes to other subnets. Essentially, I need an IPFW rule to block traffic
from 192.168.0.X through via NAT, or don't I ?

Any ideas/comments/suggestions greatly appreciated, (note the above is an
example, not actual addresses).


--
Nathan Vidican
nathan@xxxxxxxxxxx

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: selective NAT/gateway
    • From: Ivan Levchenko

• Prev by Date: ACL: Default and other problems
• Next by Date: pfstat error
• Previous by thread: ACL: Default and other problems
• Next by thread: Re: selective NAT/gateway
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Default Gateway Setting not set after Reboot ... The fact remains that the server is connected to two subnets. ... gateways is not set for one of the subnets on one of the NICs. ... >> am convinced as per my situation above, if I remove the default gateway ... > D. All other possible routes are handled by using Static Routes in the ... (microsoft.public.win2000.networking) Re: selective NAT/gateway ... then in the nat rule: ... routes a small subnet of static IP's to our servers, ... between internal subnets. ... NAT translation over the PPPoE link. ... (freebsd-questions) Re: Routing problems ... default gateway, not an interface). ... accessible from the Internet. ... routes programmed into it, making it essentially a usable default gateway ... not even touching the Linux firewall. ... (comp.os.linux.networking) Setting up a multihomed server. ... I'm adding a second NIC to my home Win2003 Server so I can create a separate subnet in order to help me with preparation for 70-291. ... At the moment the machine doesn't seem to realise that is needs to act as a default gateway for the second subnet, rather than just having a second NIC with an assigned IP. ... Would I do this through adding static routes, or is there something else obvious that I've missed? ... (microsoft.public.cert.exam.mcsa) Workgroup that spans more than one subnet in Samba ... I want a workgroup that spands two IP subnets. ... eth0:192.168.0.1 and gateway of the 192.168.0.0/24 ... The Gateway is a Fedora Core 3 box where I have Samba ... running with this configuration: ... (comp.os.linux.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)