I'm interested in having a FreeBSD box route packets between my
various internal networks as well as providing NAT services when
routing my private networks to the Internet. The network looks
something like:
192.168.15.0 ---|
|
192.168.16.0 ---|
|
192.251.93.0 ---|
|
Internet ---|
|
|-- re0 interface -- FreeBSD 7.1 running IP Filter: v4.1.28
I have a configuration which appears to work, however am wondering if
there's a better way. Note: the re0 interface has multiple IP addresses
... one on each network. Here's my ipnat.conf:
# If it's from our private networks going to our networks,
# then leave it alone ... i.e. map no-op
map re0 from 192.168.15.0/24 to 192.251.93.0/24 -> 0/0
map re0 from 192.168.15.0/24 to 192.168.16.0/24 -> 0/0
map re0 from 192.168.16.0/24 to 192.251.93.0/24 -> 0/0
map re0 from 192.168.16.0/24 to 192.168.15.0/24 -> 0/0
# If it's from our private networks going outside the building,
# then NAT it
map re0 from 192.168.15.0/24 to any -> 0/32 portmap tcp/udp 40000:60000
map re0 from 192.168.15.0/24 to any -> 0/32
map re0 from 192.168.16.0/24 to any -> 0/32 portmap tcp/udp 40000:60000
map re0 from 192.168.16.0/24 to any -> 0/32
What I'm not clear on is the best way to tell IP Filter that packets
going between my various internal networks should be left alone. Currently
I have what should be a no-op map rule, however it still results in work
being done. I.e. a NAT table entry ... ipnat -l shows things like:
MAP 192.168.16.13 161 <- -> 192.168.16.13 161 [192.251.93.208 1031]
I'd like to short circuit the whole NAT process for internal traffic.
Thoughts / suggestions / recommendations?
Note: I am limited to getting the job done using this one box.
-- John
-------------------------------------------------------------------------
| Feith Systems | Voice: 1-215-646-8000 | Email: [email protected] |
| John Wehle | Fax: 1-215-540-5495 | |
-------------------------------------------------------------------------
