Multihomed router with NAT
Christopher Cowart
ccowart at rescomp.berkeley.edu
Wed Dec 6 14:42:12 PST 2006
Hello,
I'm working on a router that acts as a captive portal and transparent
http proxy for unregistered or disabled hosts that plug in to our
network.
The router has a public administrative interface on em0,
192.168.100.10/24. The router has a physically seperate interface,
192.168.200.10/24 on vlan200 using em1, for the NAT clients. The router
also has the interface vlan100 on em1 with the address 10.100.0.1/16.
The "captured" machines are assigned addresses on the 10.100/16 subnet.
The router's firewall allows certain http traffic through the NAT, such
as windows updates. All other http requests are forwarded through an
instance of squid to an apache instance.
The system's default route is configured on the administrative
interface, via 192.168.100.1. My firewall includes the rule:
$cmd 0013 divert natd ip from not me to any via vlan200
The NAT does not work. From a "captured" machine, I am able to ping both
192.168.200.10 and the gateway 192.168.200.1, but nothing off-subnet. We
suspect the packets leaving the NAT, tagged with source-address
192.168.200.10 are being routed via the system's default route at
192.168.100.1. The router is dropping these packets on the floor,
because the source address doesn't match the subnet it's routing.
Is it possible to tell the system to use a different default route based
on the source address of the packet? We want to keep the administrative
interface on a separate subnet from the client traffic.
I tried using an ipfw fwd rule:
$cmd 0014 fwd 192.168.200.1 ip from 192.168.200.10 to not \
192.168.200.10/24
But this had no effect. Any suggestions would be greatly appreciated.
Thanks,
--
Chris Cowart
Unix Systems Administrator
Residential Computing, UC Berkeley
"May all your pushes be popped"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061206/20a3e573/attachment.pgp
More information about the freebsd-questions
mailing list