koroush.saraf at lmco.com
Tue Jun 10 15:27:01 PDT 2003
I'm trying to setup a BSD box to act as a NAT gateway between private net and public Internet. My requirements is to map the src and destination of the packet according to a set of rules.
The BSD box has two public IP addresses. Depending on which interface the packet arrives on it will get routed to a different private destination address.
I'm using ipnat with the following mapping on the NAT box.
The Nat box has only 1 interface xl0
the ip addresses of this interface are:
public 129.197,244.6/24,18.104.22.168/24, 22.214.171.124/24
private 10.77.1.2/24, 10.77.2.2/24
The servers on the private lan are 10.77.1.1/24 and 10.77.2.1/24 on two different subnets.
List of active MAP/Redirect filters:
map xl0 126.96.36.199/32 -> 10.77.1.1/32
map xl0 188.8.131.52/32 -> 10.77.2.1/32
map xl0 10.77.1.1/32 -> 184.108.40.206/32
map xl0 10.77.2.1/32 -> 220.127.116.11/32
However I'm not getting the desired results.
>From a computer with ip address of 18.104.22.168 I ping 22.214.171.124. I expect the icmp packet to reach the BSDNAT box and get translated to the 10.77.2.1 address and forwarded with src address of 10.77.2.2 out of xl0 to the particular server. Then the server would reply back to 10.77.2.2 and it would get translated back to 126.96.36.199 with a source address of 188.8.131.52. But this is not happening.
If the source of the Ping is a BSD box, the reply comes back as if I was routed to the destination server, but in reality its not being routed since the destination server doesn't see the packet
ping from Freebsd box
Pinging 184.108.40.206 with 32 bytes of data:
Reply from 10.77.2.1: bytes=32 time<10ms TTL=255
But 10.77.2.1 doesn't really see the ping packets. (verified using tcpdump and the delay metric which remains the same whether I ping 220.127.116.11)
and ping from a windows box doesn't even get translated and times out.
So In short I need someone to tell me the correct synthax to setup the mapping so that I can map any src and dst IP address into any other Src and dst address and retain the return path as well.
thanks for your thoughts in advance,
More information about the freebsd-questions