ipnat syntax error?

Juergen Heberling pjah at hicom.net
Mon Apr 3 10:59:26 UTC 2006 

Erik Nørgaard wrote:
>> .. snip ..

> 
> Well, my suggestion is not to exhaust your precious /28 address space 
> right away. And don't make your life unnecessary difficult, why choose 
> the addreses in the middle for bimap?
> 
> 
> Rather than using all your external ip's right away I would save some 
> for later expansion, and reserve one for debugging. You may need to 
> connect a laptop on the external net to figure out what's going on. You 
> could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and 
> future expansion (not mapped), x.x.x.12/30 map for lan clients.
> 
> If you stick to cidr you can also write your filter rules in cidr making 
> it far easier to read an maintain.
> 
> For the mapping, and bimapping consider this:
> 
> The /24 network you want to map, it contains at most 254 hosts. If you 
> map that network to a single ip, then each host can establish at least 
> 256 simultaneous connections. My experience is that this is far mor than 
> needed in most normal operating environments. I'd suggest using the same 
> ip as on the firewall external interface.
> 
> If the purpose of binatting is to make one service available, http say, 
> then you may consider using rdr. IIRC you can also use rdr to round 
> robin load balancing incoming connections.
> 
> That way you can have one host serving http and another serving smtp on 
> the same external ip. The only reason to use different ip's is if you're 
> hosting a number of https servers, each need a different ip.
> 
> There's no point in bimapping all ports on a external ip to one single 
> internal ip if most of them are blocked by the filter.
> 
> Cheers, Erik

Erik,

Thank you again for your advice.

Due to historical reasons I can not just take a /29 or /30 block out of 
the middle of the cidr I will ultimately use -- this FreeBSD server will 
implement a firewall on an existing connection replacing an old Cisco 
router that only NAT'd.  So I will see if things can work with "just" 
one "map" with portmaps.

Please note that the "-" for the range syntax is documented in several 
places, not just the FreeBSD handbook and should probably be fixed.

Thanks again.
Juergen

More information about the freebsd-questions mailing list