Multihomed router with NAT

---

• From: Christopher Cowart <ccowart@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 6 Dec 2006 14:41:29 -0800

---

Hello,

I'm working on a router that acts as a captive portal and transparent
http proxy for unregistered or disabled hosts that plug in to our
network.

The router has a public administrative interface on em0,
192.168.100.10/24. The router has a physically seperate interface,
192.168.200.10/24 on vlan200 using em1, for the NAT clients. The router
also has the interface vlan100 on em1 with the address 10.100.0.1/16.
The "captured" machines are assigned addresses on the 10.100/16 subnet.
The router's firewall allows certain http traffic through the NAT, such
as windows updates. All other http requests are forwarded through an
instance of squid to an apache instance.

The system's default route is configured on the administrative
interface, via 192.168.100.1. My firewall includes the rule:
$cmd 0013 divert natd ip from not me to any via vlan200

The NAT does not work. From a "captured" machine, I am able to ping both
192.168.200.10 and the gateway 192.168.200.1, but nothing off-subnet. We
suspect the packets leaving the NAT, tagged with source-address
192.168.200.10 are being routed via the system's default route at
192.168.100.1. The router is dropping these packets on the floor,
because the source address doesn't match the subnet it's routing.

Is it possible to tell the system to use a different default route based
on the source address of the packet? We want to keep the administrative
interface on a separate subnet from the client traffic.

I tried using an ipfw fwd rule:
$cmd 0014 fwd 192.168.200.1 ip from 192.168.200.10 to not \
192.168.200.10/24

But this had no effect. Any suggestions would be greatly appreciated.

Thanks,

--
Chris Cowart
Unix Systems Administrator
Residential Computing, UC Berkeley
"May all your pushes be popped"

Attachment: signature.asc
Description: Digital signature

---

• Prev by Date: Re: The Opera browser on FreeBSD
• Next by Date: Re: TCP parameters and interpreting tcpdump output
• Previous by thread: SICK SERVER
• Next by thread: Re: TCP parameters and interpreting tcpdump output
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: moved a working network, now it doesnt work ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ... (comp.dcom.sys.cisco) Point to Point T1 with Cisco 1841 Routers ... checked it in the morning and on my side, the router had a lot of CRC ... interface FastEthernet0/0 ... ip http access-class 23 ... minute output rate 0 bits/sec, 0 packets/sec ... (comp.dcom.sys.cisco) Re: IP NAT/PAT ... I will ignore the sh nat. ... is never used to send traffic out of the router. ... The router needs to know which interface the packet is ... server from the inside using its external DNS name. ... (comp.dcom.sys.cisco) Multihomed router with NAT ... I'm working on a router that acts as a captive portal and transparent ... The router has a public administrative interface on em0, ... The "captured" machines are assigned addresses on the 10.100/16 subnet. ... The router's firewall allows certain http traffic through the NAT, ... (freebsd-isp) Re: IP Addressing ... firewall and router). ... On the firewall create a static NAT entry as I wrote ... !we 're doing NAT to publish my Exchange server on the Internet ... external or any physical / logical interface. ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)