3 NICs NAT setup, almost there ...

Roger 'Rocky' Vetterberg listsub at 401.cx
Tue May 27 00:22:34 PDT 2003

Barney Wolff wrote:
 > On Fri, May 23, 2003 at 12:45:39PM -0300, Paiva, Gilson de wrote:
 >> Hi,
 >> Take this scenario:
 >> xxx/26               yyy/26 internet --- ep0 freebsd rl0 ---
 >> wired clients ep1 | private ip ( ) | wireless
 >> I have to nat packets with destination to an ip xxx/26 to an ip
 >> at private ip net. So far so good with "common" redirect_address
 >> nat configuration. The problem happens with traffic between net
 >> yyy/26 and the private network ( and vice-versa ) because packets
 >>  get routed to destination before they get translated by natd.
 >> What´s the secret ? I tried everything I known and learned from
 >> reading but no setup could work out.
 > I'd use ipfw and natd, and run two instances of natd listening on
 > different divert sockets.  Rules in ipfw can divert the packets to
 > the right natd depending on where the packets are coming from or
 > going to.

I have been running something similar to the above for well over a
year without problems. The tricky thing can be to get you firewall
rules right.

The machine in question has 3 nic's:
xl0: y.y.108.201 netmask 0xffffff00
xl1: netmask 0xfffffc00
xl2: netmask 0xffffff00

The relevant section of my firewall rules looks like this:
00070 divert 8669 ip from any to via xl1
00080 divert 8669 ip from any to x.x.184.234 via xl1
00090 divert 8669 ip from any to x.x.89.40 via xl1
00100 divert 8668 ip from any to any via xl0

The ip addresses starting with x.x are servers that we need to go a
special route to access. Ignore them if you wish, I only included them 
as an example of how to write your rules.
Besides the above rules, all you have to do is start two instances of 
natd, one on interface xl1 listening on 8669 and one on xl0 listening 
on 8668.
I also had to add a route on the router in the 
network to make it send traffic to back to the right instead of throwing it on default route.

The possibilities are almost endless, you can run as many natd's as 
you need and just divert traffic based on destination, origin, port, 
protocoll or whatever you see fit.

Hope this helps


More information about the freebsd-questions mailing list