RE: NATD Internal Network problems
>-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Chris S. Wilson >Sent: Thursday, December 29, 2005 3:08 PM >To: Greg Barniskis >Cc: freebsd-questions >Subject: RE: NATD Internal Network problems > > >Weird, every other router I've used forwards all the packets properly, >even my backup linksys when I hook it up. > Those aren't forwarding the packets properly. The CPU in your Linksys isn't capabable of routing 100Mbt of traffic from an inside host to your linksys then back to the inside host. Try it some time and see for yourself. - copy a large file around or some such. While it's happening your Internet access will roll over and die. What the commercial routers like a Cisco can do is DNS translation, assuming the DNS server is on the outside. The DNS server responds with the outside IP address and the translator in the Cisco converts it to the inside private number. So the hosts on the inside can use a regular hostname that would normally resolve to the outside of the translator, and they get the inside number and nobody knows the difference. Some other translators pull this trick by having the DNS server set to the IP address of the translator, and they proxy all the DNS queries. There's a good chance that a large number of these "every other router I've used" routers you have used are in fact doing this, and you just didn't even notice. It is actually extremely easy to do the same thing on a FreeBSD box running as a translator. Just turn on named, and setup the named file for the domain used on your inside net, and forward all other queries to the real DNS servers on the outside. Then set the inside hosts to use the FreeBSD box as their DNS server. This is exactly how Linksys does it. If you need instructions just ask, they are very easy. Ted >Really I don't want to do the split dns stuff, sadly I will have to move >away from FreeBSD for performing this operation I guess. > >Thanks for the help! > >CW. > >-Original Message- >From: Greg Barniskis [mailto:[EMAIL PROTECTED] >Sent: Thursday, December 29, 2005 3:05 PM >To: Chris S. Wilson >Cc: freebsd-questions >Subject: Re: NATD Internal Network problems > >Chris S. Wilson wrote: >> Hello! :) >> >> I am having a problem with freebsd 5.3-release and natd. >> >> When I try to connect to a service on my internal network to an IP on >> my external network that has a port redirected, it wont connect. >> >> IE: 67.128.100.2 is my external IP, on my internal network I try to >> connect to 67.128.101.2:80 which is forwarded in my natd.conf and the >> connection is refused. >> >> Does anyone know why? > >I don't know the exact technical reasons "why" but I will confirm for >you that this simply does not work, and the reasons why center around it >being a rather tortured mess. > >Your inside machines should reach your inside server by its inside >address. Think about how you're sending your request outside the >firewall (getting the request NATed on the way out) and then back in >(getting the request re-NATed), and then having the reply packets from >the web server have to take the reverse of that path. Yuck. > >Use split DNS so that that "www.example.com" appears to external clients >as being your external NAT server address, and appears to inside clients >as the web server's real inside address. > > >-- >Greg Barniskis, Computer Systems Integrator South Central Library System >(SCLS) Library Interchange Network (LINK) , >(608) 266-6348 >___ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"[EMAIL PROTECTED]" > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: >12/29/2005 > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NATD Internal Network problems
Chris S. Wilson wrote: Weird, every other router I've used forwards all the packets properly, even my backup linksys when I hook it up. Probably works there because there's not a very complex packet filtering operation in the middle when using an off-the-shelf router. Keep in mind that I'm speaking from distant memory. What you describe doesn't work for me, never did, and I know it's been talked about on this list as being an undesirable thing to do anyway, given that there are better alternatives than torturing your packets. You can possibly make FreeBSD do what you want, but (IIRC) it's going to take some ipfw wizardry, or whatever you're using to drive packets into natd. Also, I believe the result of that is that you'd have to create a less secure set of rules about what is permitted to pass. In other words the real reason this doesn't work is that as a best practice, it shouldn't. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: NATD Internal Network problems
Weird, every other router I've used forwards all the packets properly, even my backup linksys when I hook it up. Really I don't want to do the split dns stuff, sadly I will have to move away from FreeBSD for performing this operation I guess. Thanks for the help! CW. -Original Message- From: Greg Barniskis [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 3:05 PM To: Chris S. Wilson Cc: freebsd-questions Subject: Re: NATD Internal Network problems Chris S. Wilson wrote: > Hello! :) > > I am having a problem with freebsd 5.3-release and natd. > > When I try to connect to a service on my internal network to an IP on > my external network that has a port redirected, it wont connect. > > IE: 67.128.100.2 is my external IP, on my internal network I try to > connect to 67.128.101.2:80 which is forwarded in my natd.conf and the > connection is refused. > > Does anyone know why? I don't know the exact technical reasons "why" but I will confirm for you that this simply does not work, and the reasons why center around it being a rather tortured mess. Your inside machines should reach your inside server by its inside address. Think about how you're sending your request outside the firewall (getting the request NATed on the way out) and then back in (getting the request re-NATed), and then having the reply packets from the web server have to take the reverse of that path. Yuck. Use split DNS so that that "www.example.com" appears to external clients as being your external NAT server address, and appears to inside clients as the web server's real inside address. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NATD Internal Network problems
Chris S. Wilson wrote: Hello! :) I am having a problem with freebsd 5.3-release and natd. When I try to connect to a service on my internal network to an IP on my external network that has a port redirected, it wont connect. IE: 67.128.100.2 is my external IP, on my internal network I try to connect to 67.128.101.2:80 which is forwarded in my natd.conf and the connection is refused. Does anyone know why? I don't know the exact technical reasons "why" but I will confirm for you that this simply does not work, and the reasons why center around it being a rather tortured mess. Your inside machines should reach your inside server by its inside address. Think about how you're sending your request outside the firewall (getting the request NATed on the way out) and then back in (getting the request re-NATed), and then having the reply packets from the web server have to take the reverse of that path. Yuck. Use split DNS so that that "www.example.com" appears to external clients as being your external NAT server address, and appears to inside clients as the web server's real inside address. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: NATD Internal Network problems
Everything works great from the nat box and from the outside (people are currently using it to get into my web server from the outside). It's odd. CW. -Original Message- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 12:55 PM To: Chris S. Wilson Cc: freebsd-questions@freebsd.org Subject: Re: NATD Internal Network problems Chris S. Wilson wrote: > Hmm, still does'nt work. > > That seemed to be a typo however I still cant connect :( Does "telnet 10.0.10.2 80" from the firewall box work? Does normal NAT work OK (ie, can internal machines connect outside)? Does not using the external IP help: redirect_port tcp 10.0.10.2:80 80 Be prepared to invoke 'tcpdump' to see what is going on... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NATD Internal Network problems
Chris S. Wilson wrote: Hmm, still does'nt work. That seemed to be a typo however I still cant connect :( Does "telnet 10.0.10.2 80" from the firewall box work? Does normal NAT work OK (ie, can internal machines connect outside)? Does not using the external IP help: redirect_port tcp 10.0.10.2:80 80 Be prepared to invoke 'tcpdump' to see what is going on... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: NATD Internal Network problems
Hmm, still does'nt work. That seemed to be a typo however I still cant connect :( CW -Original Message- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 12:42 PM To: Chris S. Wilson Cc: freebsd-questions@freebsd.org Subject: Re: NATD Internal Network problems Chris S. Wilson wrote: [ ... ] > IE: 67.128.100.2 is my external IP, on my internal network I try to > connect to 67.128.101.2:80 which is forwarded in my natd.conf and the > connection is refused. > > Does anyone know why? Change the "-" to a "0" in: redirect_port tcp 10.0.10.2:8- 67.128.100.2:80 ...? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: NATD Internal Network problems
Chris S. Wilson wrote: [ ... ] IE: 67.128.100.2 is my external IP, on my internal network I try to connect to 67.128.101.2:80 which is forwarded in my natd.conf and the connection is refused. Does anyone know why? Change the "-" to a "0" in: redirect_port tcp 10.0.10.2:8- 67.128.100.2:80 ...? -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
