NATD and Address Redirection
Jim Durham
durham at jcdurham.com
Fri Jul 25 10:49:40 PDT 2003
I'm wondering about the characteristics of the redirect_address option
of natd. I tried this on -questions, but no one replied, so I thought
I'd ask on here, hoping to find folks more familiar with kernel
mechanisms here.
Consider a FreeBSD NAT "gateway" between a public IP on one network
interface and a private "LAN" address on the 2nd interface serving a
group of windows machines on the LAN with private IPS.
We wanted to allow outside access to one of the LAN machines.
According to the documentation, as I read it, redirect_address sets up
a "static NAT" which is symmetrical between a public address on the
outside interface of a FreeBSD machine and a machine on a private IP
attached to the "inside" or "LAN" network interface.
The procedure we used was to alias a 2nd public address to the outside
interface and use a redirect_address statement in natd.conf to
redirect connections to the new public IP to the inside machine.
This doesn't seem to be symmetrical. You can ping the inside machine
from outside using the new address and if you connect outwards from
the inside machine, the outside world sees the connection as coming
form the new public IP. However, a test running VNC server on the
inside machine and connecting from outside does not work. You can
connect to the inside machine and it sees mouse and keyboard, but the
virtual screen does not work. It seems that the connection works
properly redirecting inward but not outward. VNC disconnects in about
a minute.
If you connect to the inside machine using the -via option of VNC to
build an encrypted tunnel to the FreeBSD gateway and then connect to
the inside machine directly, it works properly, so it doesn't appear
to be a VNC problem.
I'm questioning whether the connection is really symmetrical?
-Jim
More information about the freebsd-hackers
mailing list