NAT Question

Koroush Saraf koroush.saraf at lmco.com
Tue Jun 10 15:27:01 PDT 2003 

Hi all,

I'm trying to setup a BSD box to act as a NAT gateway between private net and public Internet.  My requirements is to map the src and destination of the packet according to a set of rules.

The BSD box has two public IP addresses. Depending on which interface the packet arrives on it will get routed to a different private destination address.

I'm using ipnat with the following mapping on the NAT box.
The Nat box has only 1 interface xl0
the ip addresses of this interface are: 
public  129.197,244.6/24,129.197.244.7/24, 129.197.244.8/24 
private 10.77.1.2/24, 10.77.2.2/24

The servers on the private lan are 10.77.1.1/24 and 10.77.2.1/24 on two different subnets.

to 
List of active MAP/Redirect filters:
map xl0 129.197.244.7/32 -> 10.77.1.1/32
map xl0 129.197.244.8/32 -> 10.77.2.1/32
map xl0 10.77.1.1/32 -> 129.197.244.7/32
map xl0 10.77.2.1/32 -> 129.197.244.8/32

However I'm not getting the desired results.

>From a computer with ip address of 129.197.244.2 I ping 129.197.244.8. I expect the icmp packet to reach the BSDNAT box and get translated to the 10.77.2.1 address and forwarded with src address of 10.77.2.2 out of xl0 to the particular server.  Then the server would reply back to 10.77.2.2 and it would get translated back to 129.197.244.2 with a source address of 129.197.244.8.  But this is not happening.

If the source of the Ping is a BSD box, the reply comes back as if I was routed to the destination server, but in reality its not being routed since the destination server doesn't see the packet

for example:

ping from Freebsd box

Pinging 129.197.244.8 with 32 bytes of data:
Reply from 10.77.2.1: bytes=32 time<10ms TTL=255

But 10.77.2.1 doesn't really see the ping packets.  (verified using tcpdump and the delay metric which remains the same whether I ping 129.197.244.6)

and ping from a windows box doesn't even get translated and times out.

So In short I need someone to tell me the correct synthax to setup the mapping so that I can map any src and dst IP address into any other Src and dst address and retain the return path as well.


thanks for your thoughts in advance,
~koroush

More information about the freebsd-questions mailing list