ip address of the local user is not nat'd to its alias

[Nenad Gavrilovic]

Hanns Hartman wrote:

> Hi All,
>   I have read through a lot of the mailing list archives and have had
> no success with the following problem.  I have a box that is
> functioning as a captive portal.  aka think free wifi login at
> starbucks or the like.
>      I have two interfaces fxp0 and fxp1 that point to two different
> networks that have staticly assigned ipaddrs. and a third fxp2 which
> is the internal network.  (BTW I am running freebsd 4.11 on this box.)
> I have two instances of natd running on the box one assigned to each
> of the two external interfaces with options -snup enabled and each
> instance has its own port number.
>     So the problem is that when I try to send traffic via an ipfw
> divert rule out one of the interfaces and I look at an ethereal trace
> on the box of the webserver that is the destination I am trying to get
> to, the source ip address is not nat'd to the interface's ip address
> that points to that network. so when the destination box tries to send
> a responce it doesn't know where to send the packets since its trying
> to send them to an ip on the internal network. Do any of you have any
> idea why the source address of the initial [SYN]  would be the
> internal network and not the ip address of the interface that is on
> that network.  I enabled loging on natd and I think its working
> because whenever I try to connect to the website I see the natd stats
> in the log file increase in number.
> thanks in advance for the help
> Hanns
>
> KERNEL_CONFIG
>
> ...
> options         IPFIREWALL_DEFAULT_TO_ACCEPT
> options         IPFIREWALL_FORWARD
> options         IPDIVERT
> options         IPFW2
>
>
> IPFW_rules
>
> /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in
> /sbin/ipfw add 600 set 2 allow ip from any to any in
>
> natd starting
> /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid
> /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
You have to have two rules for natd as folows:
(from
<http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html>)

natd_enable="YES"                   # Enable NATD function
natd_interface="rl0"                # interface name of public Internet NIC
natd_flags="-dynamic -m"            # -m = preserve port numbers if possible

pif="rl0"     # public interface name of NIC
              # facing the public Internet

1. $cmd 500 divert natd ip from any to any out via $pif
2. $cmd 100 divert natd ip from any to any in via $pif

The 1st rule triger when package go OUT via $pif and natd store
informatio of package and change source ip from original to $pif.
The 2nd rule triger when package get IN via $pif and natd chech
informarion from package and if have stored information that he was
change source ip he change source ip from $pif to original.

You have to have one set rules for natd and another set rules for natd2.