Re: Puzzling NATD problem - revisited
Thank you both for your answers. The campus network uses public ip address space, sorry for not including that information. The fact why I included it in between the internet and the natd gateway is that if there's some weirdness in it, I somehow have to compensate for it in FreeBSD. As I stated, Linux users haven't had any problems with nat in the same network. Even I had working nat in the same network two years ago (on FreeBSD 4.1-4.3 I think) so I'm trying to pinpoint the cause for this extremely peculiar behaviour. Josh Paetzel wrote: >On Tue, Oct 08, 2002 at 03:28:28PM -0400, JoeB wrote: > > >>You state Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>Internet is public ip address, if Campus Network private ip address then >>you can not nat them again, if Campus Network is public ip address then you >>should nat x11 for the private ip address on the lan behind the FBSD box. >> >> >That's not correct. I've seen two layers of NATD work just fine in an office >building environment where the gateway to the office was natting ips to the >individual clients, and then clients were natting again to hang multiple >machines off the one ip they got from the office gateway. > >Josh > > "You should nat x11 for the private ip address on the lan behind the FBSD box." I always thought natd should run on the external interface? How can natd work perfectly if I'm running it on a wrong interface? > > >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED]]On Behalf Of Kim Helenius >>Sent: Tuesday, October 08, 2002 9:13 AM >>To: [EMAIL PROTECTED] >>Subject: Puzzling NATD problem - revisited >> >>The setting: >> >>Network topology: >>Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host >> >>A custom kernel build including the following options: >>options IPFIREWALL >>options IPDIVERT >>Used the command: >>sysctl net.inet.ip.forwarding=1 >>And started natd with natd -interface xl0 >> >>Then did, straight from the manpage, the following firewall rules: >>/sbin/ipfw -f flush >>/sbin/ipfw add divert natd all from any to any via xl0 >>/sbin/ipfw add pass all from any to any >> >>Now NAT works perfectly for the internal host, but (almost) all TCP >>connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work >>perfectly. I've tried this on two different FreeBSD machines in the same >>network with identical results. If I remove the divert rule, everything >>works perfectly, except of course for the NAT. There have been no similar, >>puzzling effects on any Linux hosts I know of in the same network. Therefore >>I'm sure there's some knob I haven't pushed yet :) >> >>I'm aware this doesn't make much of a firewall but I'd like to get natd >>working before I run the firewall script. >> >>-- >>Kim Helenius >>[EMAIL PROTECTED] >> >> >> >>To Unsubscribe: send mail to [EMAIL PROTECTED] >>with "unsubscribe freebsd-questions" in the body of the message >> >> >>To Unsubscribe: send mail to [EMAIL PROTECTED] >>with "unsubscribe freebsd-questions" in the body of the message >> >> -- Kim Helenius [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Puzzling NATD problem - revisited
On Tue, Oct 08, 2002 at 03:28:28PM -0400, JoeB wrote: > You state Network topology: > Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host > > Internet is public ip address, if Campus Network private ip address then > you > can not nat them again, if Campus Network is public ip address then you > should > nat x11 for the private ip address on the lan behind the FBSD box. That's not correct. I've seen two layers of NATD work just fine in an office building environment where the gateway to the office was natting ips to the individual clients, and then clients were natting again to hang multiple machines off the one ip they got from the office gateway. Josh > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Kim Helenius > Sent: Tuesday, October 08, 2002 9:13 AM > To: [EMAIL PROTECTED] > Subject: Puzzling NATD problem - revisited > > The setting: > > Network topology: > Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host > > A custom kernel build including the following options: > options IPFIREWALL > options IPDIVERT > Used the command: > sysctl net.inet.ip.forwarding=1 > And started natd with natd -interface xl0 > > Then did, straight from the manpage, the following firewall rules: > /sbin/ipfw -f flush > /sbin/ipfw add divert natd all from any to any via xl0 > /sbin/ipfw add pass all from any to any > > Now NAT works perfectly for the internal host, but (almost) all TCP > connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work > perfectly. I've tried this on two different FreeBSD machines in the same > network with identical results. If I remove the divert rule, everything > works perfectly, except of course for the NAT. There have been no similar, > puzzling effects on any Linux hosts I know of in the same network. Therefore > I'm sure there's some knob I haven't pushed yet :) > > I'm aware this doesn't make much of a firewall but I'd like to get natd > working before I run the firewall script. > > -- > Kim Helenius > [EMAIL PROTECTED] > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Puzzling NATD problem - revisited
You state Network topology: Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host Internet is public ip address, if Campus Network private ip address then you can not nat them again, if Campus Network is public ip address then you should nat x11 for the private ip address on the lan behind the FBSD box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kim Helenius Sent: Tuesday, October 08, 2002 9:13 AM To: [EMAIL PROTECTED] Subject: Puzzling NATD problem - revisited The setting: Network topology: Internet---Campus Network---(xl0)FreeBSD NATD machine(xl1)---Internal host A custom kernel build including the following options: options IPFIREWALL options IPDIVERT Used the command: sysctl net.inet.ip.forwarding=1 And started natd with natd -interface xl0 Then did, straight from the manpage, the following firewall rules: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via xl0 /sbin/ipfw add pass all from any to any Now NAT works perfectly for the internal host, but (almost) all TCP connections cease to work to/from the NATD machine. AFAIK UDP and ICMP work perfectly. I've tried this on two different FreeBSD machines in the same network with identical results. If I remove the divert rule, everything works perfectly, except of course for the NAT. There have been no similar, puzzling effects on any Linux hosts I know of in the same network. Therefore I'm sure there's some knob I haven't pushed yet :) I'm aware this doesn't make much of a firewall but I'd like to get natd working before I run the firewall script. -- Kim Helenius [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message