ip address of the local user is not nat'd to its alias
Nenad Gavrilovic
neca at boox.co.yu
Sat Sep 30 06:13:30 PDT 2006
Hanns Hartman wrote:
> Hi All,
> I have read through a lot of the mailing list archives and have had
> no success with the following problem. I have a box that is
> functioning as a captive portal. aka think free wifi login at
> starbucks or the like.
> I have two interfaces fxp0 and fxp1 that point to two different
> networks that have staticly assigned ipaddrs. and a third fxp2 which
> is the internal network. (BTW I am running freebsd 4.11 on this box.)
> I have two instances of natd running on the box one assigned to each
> of the two external interfaces with options -snup enabled and each
> instance has its own port number.
> So the problem is that when I try to send traffic via an ipfw
> divert rule out one of the interfaces and I look at an ethereal trace
> on the box of the webserver that is the destination I am trying to get
> to, the source ip address is not nat'd to the interface's ip address
> that points to that network. so when the destination box tries to send
> a responce it doesn't know where to send the packets since its trying
> to send them to an ip on the internal network. Do any of you have any
> idea why the source address of the initial [SYN] would be the
> internal network and not the ip address of the interface that is on
> that network. I enabled loging on natd and I think its working
> because whenever I try to connect to the website I see the natd stats
> in the log file increase in number.
> thanks in advance for the help
> Hanns
>
> KERNEL_CONFIG
>
> ...
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_FORWARD
> options IPDIVERT
> options IPFW2
>
>
> IPFW_rules
>
> /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in
> /sbin/ipfw add 600 set 2 allow ip from any to any in
>
> natd starting
> /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid
> /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
You have to have two rules for natd as folows:
(from
<http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html>)
natd_enable="YES" # Enable NATD function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible
pif="rl0" # public interface name of NIC
# facing the public Internet
1. $cmd 500 divert natd ip from any to any out via $pif
2. $cmd 100 divert natd ip from any to any in via $pif
The 1st rule triger when package go OUT via $pif and natd store
informatio of package and change source ip from original to $pif.
The 2nd rule triger when package get IN via $pif and natd chech
informarion from package and if have stored information that he was
change source ip he change source ip from $pif to original.
You have to have one set rules for natd and another set rules for natd2.
More information about the freebsd-ipfw
mailing list