Multiple NAT router

Julian Elischer julian at elischer.org
Fri Jul 21 18:14:32 UTC 2006 

Brett Glass wrote:

> I have an application in which I'd like a FreeBSD router to have 
> multiple, isolated LANS attached to it, each with the same address 
> space. The FreeBSD box would take the place of multiple NAT routers.
>
> For example, I might want to have three internal Ethernet interfaces 
> on the FreeBSD box. Each would be connected to a LAN whose internal 
> addresses are 192.168.0.0/24. The FreeBSD box would do NAT for all of 
> them, and of course they could not "see" one another.
>
> The alternatives, of course, would be to install multiple NAT routers 
> -- which would be a waste -- or to number the LANs differently. But 
> the organization for which I'm doing this wants everything about each 
> LAN to be absolutely standard (printers at the same static addresses, 
> etc.) so that their IT guys can walk in and know exactly how 
> everything's numbered.
>
> Is it possible to do a "hydra headed" router such as this with 
> FreeBSD? I'm not sure that FreeBSD's natd is equipped to sort incoming 
> packets for multiple, identically numbered LANs properly, because it 
> would have to remember interface names as well as addresses. Also, 
> there would be the question of how one would connect inward to the 
> machines on the LANs, since "ping 192.168.0.100" would be  ambiguous. 
> (Perhaps one could do it from a jail. In fact, perhaps the virtual NAT 
> routers could be set up in jails....)


yes I have done this (though with 2 nets) but it was some time ago and 
it's very hazy as to how it was done.

I think it went something like this:

run a separate natd ON DIFFERENT PORTS for each inteface and use ipfw to 
forward packets only to the
appropriate natd  only when they transition in or out of the appropriate 
interface.

i.e
# All packets come here
ipfw add 10 allow ip from any to any via lo0
ipfw add 11 drop ip from any to 127.0.0.1
ipfw add 12 drop ip from 127.0.0.1 to any

# Only non local packets come here
ipfw add 50 skipto 100 ip from any to any in
ipfw add 51 skipto 150 ip from any to any out
# Shouldn't happen
ipfw drop ip from any to any

# only incoming packets come here
ipfw add 100 [special preprocessing for all   incoming packets]
ipfw add 110 skipto 1000 ip from any to any recv fxp0
ipfw add 111 skipto 2000 ip from any to any recv fxp1
ipfw add 112 skipto 3000 ip from any to any recv fxp2
ipfw add 149 skipto 200 ip from any to any

# only outgoing packets come here
ipfw add 150 [special preprocessing for all outgoing packets]
ipfw add 160 skipto 4000 ip from any to any xmit fxp0
ipfw add 161 skipto 5000 ip from any to any xmit fxp1
ipfw add 162 skipto 6000 ip from any to any xmit fxp2


# not traversing one of the interesting interfaces,  just accept it. (or 
do other processing)
ipfw add 200 allow ip from any to any


# Now we handle each interface/direction specifically
ipfw add 1000 [ any special preprocessing for fxp0 incoming packets]
ipfw add 1010 divert 5001 ip from any to any
ipfw add 1011 [special postprocessing for fxp0 incoming packets(after nat)]
ipfw add 1020 skipto 10000 ip from any to any

ipfw add 2000 [ any special preprocessing for fxp1 incoming packets]
ipfw add 2010 divert 5002 ip from any to any
ipfw add 2011 [special postprocessing for fxp1 incoming packets(after nat)]
ipfw add 2020 skipto 10000 ip from any to any

ipfw add 3000 [ any special preprocessing for fxp2 incoming packets]
ipfw add 3010 divert 5003 ip from any to any
ipfw add 3011 [special postprocessing for fxp2 incoming packets(after nat)]
ipfw add 3020 skipto 10000 ip from any to any

ipfw add 4000 [ any special preprocessing for fxp0 outgoing packets]
ipfw add 4010 divert 5001 ip from any to any
ipfw add 4011 [special postprocessing for fxp0 outgoing packets(after nat)]
ipfw add 4020 skipto 11000 ip from any to any

ipfw add 5000 [ any special preprocessing for fxp1 outgoing packets]
ipfw add 5010 divert 5002 ip from any to any
ipfw add 5011 [special postprocessing for fxp1 outgoing packets(after nat)]
ipfw add 5020 skipto 11000 ip from any to any

ipfw add 6000 [ any special preprocessing for fxp2 outgoing packets]
ipfw add 6010 divert 5003 ip from any to any
ipfw add 6011 [special postprocessing for fxp2 outgoing packets(after nat)]
ipfw add 6020 skipto 11000 ip from any to any

# All incoming packets come here after NAT (not ones that didn't get natted)
ipfw add 10000 [any further processing needed after natting incoming 
packets]
[...]
ipfw add 10999 skipto 20000 ip from any to any

# All outgoing (post NAT) packets come here
ipfw add 11000 [ any further processing needed after natting outgoing 
packets]

# All Nat'd packets come here
ipfw add 20000 accept ip from any to any



The for each natd I guess you have a separate natd.conf which translates 
it to a different part of a 10.x.x.x address
thus
192.168.0.x <-> 10.100.1.x for fxp0
192.168.0.x <-> 10.100.2.x for fxp1
192.168.0.x <-> 10.100.3.x for fxp2

it occurs to me that this would make all 3 interfaces appear to be on 
the same  net on the central host
which would be a problem, so I think, in fact I remember that you needed
one other machine on each net to be involved and act as a router..
(hmm need vimage to do this properly I think).

hmm maybe you can't do it.. I remmeber now I had multiple nat machines.

what a waste of email this was!
Anyone have ideas how to get around the fact that all the interfaces 
would appear the same?
(other than vimage)


>
> --Brett Glass
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list