ipfw / natd does not allow lan traffic to reach external numbers

Johannes Angeldorff johannes2 at smartnet.se
Sun Aug 10 14:39:09 PDT 2003


I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here 
a list with some details:

*) The FreeBSD box uses natd and ipfw, and have two external IP:s, 
lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.

*) natd is used to redirect access to external IP addresses and ports 
to internal LAN IP:s, for example and, 
where for example webservers are located.

*) natd rules:

natd_flags="-redirect_address aaa.bbb.ccc.20
-redirect_port tcp 25-52
-redirect_port udp 25-52
-redirect_port tcp 80
-redirect_port udp 80
-redirect_port tcp 54-79
-redirect_port udp 54-79
-redirect_port tcp 81-722
-redirect_port udp 81-722
-redirect_port tcp 3306-4559
-redirect_port udp 3306-4559"

*) ipfw lets things through:

00050 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
65000 allow ip from any to any
65535 allow ip from any to any

Most things works just fine, external access are redirected to 
correct ports, and the webservers work just fine. BUT the problem 
comes when a box on the LAN tries to reach a site residing on using the _external_ IP aaa.bbb.ccc.20. Then I get 
error: "Unable to connect to remote host". Connecting from a LAN 
machine to the same site using the _internal_ IP works fine. 
Connecting to other external IPs also works fine.

I want to be able to connect from LAN boxes to the external IP:s, for 
example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very 
thankful for all comments on this matter.

Smartnet Sverige AB

Johannes Angeldorff

More information about the freebsd-questions mailing list