multiple VLAN's public IP's and NATd's : HowTo ?

"." at babolo.ru "." at babolo.ru
Thu Nov 13 15:50:37 PST 2003 

[ Charset ISO-8859-1 unsupported, converting... ]
> How would one go about running several instances of natd with unique public IP's for several VLAN's terminated on the same interface ?
> 
> The idea being that multiple seperate RFC-1918 networks are
> terminated as VLANS in the FreeBSD machine and that
> each VLAN goes through a seperate NAT'd instance in order to
> NAT on a particular public IP.
> 
> 1. House full of businesses.. (here shown w. 5/8)
> 2. Each buisiness has it's own LAN
> 3. Each LAN goes into a switch where the port is configured as a particular LAN
> 4. The switch is connected to a FreeBSD machine w. a set of
> VLAN's matching those in the seperate businesses
> 5. There should be 1 instance of NATd running for each VLAN
> 6. Each NATd uses seperate public IP's
> 7. WAN Staticly configured using a /30
> 8. /29 net for 5/8 seperate NATd's (a.b.c.0/29) routed to the wan.
> 9. possibly "ifconfig SomePhysIf0 a.b.c.1/29"
> 
> I think for 5 IP's it would be something like:
> 
> for i in  2 3 4 5 6; do
>   natd -port 100${i} \
>   -f /etc/natd_${i}.conf \
>   -n <phys-if or vlan ?> \
>   -a a.b.c.${i}
> done
> 
> for i in 2 3 4 5 6; do
>   ipfw add divert 100${i} all .... 
>    (from VLAN-if | VLAN-CIDR | ... ?) 
>    to any ...(in via VLAN-if | out via WAN-if | .... ?)
> done
> 
> i *assume* i need to configure the /29 somewhere ..
> i *suspect* that i can do something "weird" and actually
> use all 8 IP's  ... perhaps configure the 8 IP's as aliases on lo ?
> 
> we will have more than a few addresses in order to be able to deliver
> routeable addresses if anyone so requests..
> like.. a /26 of wich we use a /28 for permanent IP's and can deliver
> 6 /29 for the few who actually needs a routable network.
> 
> anyone has any experiences or hints / pointers ?
I configure home networks nodes, now about 5000 private clients
and several small ofice nets on 4 routers.
What is my method.
natd:
0sw~(2)>ps -axww | grep nat
54729  ??  Ss   344:53,82 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.100.pid -a xxx.xxx.49.191 -i 100 -o 101 -d
54731  ??  Ss   191:18,86 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.102.pid -a xxx.xxx.49.224 -i 102 -o 103 -d
54733  ??  Ss   360:08,39 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.104.pid -a xxx.xxx.50.127 -i 104 -o 105 -d
54735  ??  Ss   421:39,83 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.106.pid -a xxx.xxx.49.63 -i 106 -o 107 -d
54737  ??  Ss   108:41,81 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.108.pid -a xxx.xxx.49.127 -i 108 -o 109 -d
54739  ??  Ss   182:34,17 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.110.pid -a xxx.xxx.50.63 -i 110 -o 111 -d
54741  ??  Ss   302:56,97 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.112.pid -a xxx.xxx.50.159 -i 112 -o 113 -d
54743  ??  Ss   367:51,88 /sbin/natd -f /var/net/conf/nat.base -P /var/run/natd.114.pid -a xxx.xxx.50.31 -i 114 -o 115 -d
.....
0sw~(3)>cat /var/net/conf/nat.base  # can skip
log_denied yes
same_ports yes
0sw~(4)>sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0


and ipfw rules looks like
....
01200 skipto 30000 ip from any to any out
.....
04800 skipto 10000 ip from any to any in recv external_iface
.....
..... allow and deny for all local traffic
.....
20200 divert 106 ip from any to xxx.xxx.49.63
20200 divert 108 ip from any to xxx.xxx.49.127
20200 divert 100 ip from any to xxx.xxx.49.191
20200 divert 102 ip from any to xxx.xxx.49.224
20200 divert 114 ip from any to xxx.xxx.50.31
20200 divert 110 ip from any to xxx.xxx.50.63
20200 divert 104 ip from any to xxx.xxx.50.127
20200 divert 112 ip from any to xxx.xxx.50.159
.....
..... allow and deny for all local traffic
.....
49600 divert 101 ip from 10.105.1.0/24 to any out
49600 divert 105 ip from 10.105.5.0/24 to any out
49600 divert 109 ip from 10.105.9.0/24 to any out
49600 divert 111 ip from 10.105.11.0/24 to any out
49600 divert 115 ip from 10.105.15.0/24 to any out
49600 divert 103 ip from 10.105.2.0/23 to any out
49600 divert 107 ip from 10.105.6.0/23 to any out
49600 divert 113 ip from 10.105.12.0/23 to any out
.....

nat addresses (xxx.xxx.49.63, xxx.xxx.49.127 so on)
does not need to be addresses of some iface,
they must be routed from Internet to router.

Sorry for bad English.
I can ansver more if interested.

More information about the freebsd-net mailing list