Need help with strange routing situation

Eric W. Bates ericx at vineyard.net
Thu Sep 4 07:28:17 PDT 2003


I've done this on ciscos but not on FBSD.  There is probably a couple of good ways to do this. I think this will work (criticism welcome).

Given that you have a network 1.2.3.176/29 (8 addresses, 6 hosts), and your ISP has given you a gateway address of 1.2.4.239/30 for your external interface...

natd on FBSD usually gets handed traffic to modify via a divert rule in ipfw.  Normally, the examples for natd suggest something like (assuming your external NIC is fxp0):

100 divert natd all from any to any via fxp0
110 pass all from any to any

And you tell natd that it should use interface fxp0 for the overloading. natd will then translate everything against the IP assigned that interface (the gate address: 1.2.4.239).

I don't believe there is a way to get natd to be selective about translations unless you do the one-to-one mapping with redirect_address; and that's not what you want.  So instead, set natd up in the normal way; but use different firewall rules such that traffic to and from your routable network skip over the divert statement:

90 skipto 110 ip from 1.2.3.176/29 to any
90 skipto 110 ip from any to 1.2.3.176/29
100 divert natd all from any to any via fxp0
110 pass all from any to any

Obviously, this use of ipfw provides no protection; so you probably want to beef out rule 110 with some restrictions.

----- Original Message ----- 
From: "Donald Burr of Borg" <dburr at borg-cube.com>
To: "FreeBSD Questions" <freebsd-questions at freebsd.org>
Cc: <freebsd-net at freebsd.org>
Sent: Tuesday, September 02, 2003 3:36 PM
Subject: Need help with strange routing situation


> I recently switched to a new DSL provider (DSLExtreme), and in doing so,
> decided to opt to buy multiple static IP's.  The idea is that I would like
> one static IP for the server, and separate static IP's for our desktop
> machines, so that things such as IRC DCC, streaming media, etc. will "just
> work" and won't require special port forwarding or other such nonsense.
> 
> Here's a (really lame) ASCII picture of our setup:
>                      [ Server and  ]
> [ DSL Modem ]--------[ Gateway box ]-------------[ 10/100 switch ]
> ISP proviedes it's using IP A     |    |     |
> THREE IP's:             provides NAT                |    |     |
> let's call them for machines     |    |     |
> IP A, IP B, and that don't [ My desktop PC] |     |
> IP C have their it uses IP B     |     |
> own IP |     |
>      [ Roomie's PC ]   |
> it uses IP C   |
>        |
> [ Wireless WAP ]
> . .
> . .
> . .
> . .
> [ My laptop ] .
> .
>      [ Roomie's laptop ].
> (via wireless)
> 
> Note that each machine has its own unique, static private internal IP
> address (192.168.x.x).  Also, the gateway/server machine has 2 interfaces:
> one connected directly to the DSL modem, and one connected to the internal
> network.  The server is the only thing connected to the DSL modem.
> 
> Ideally here's what we'd like to set up:
> 
> Our gateway machine and server gets its own IP, IP A.
> It runs various services (IRC, WWW, FTP, etc.) but IF POSSIBLE
> I'd also like it to provide NAT for machines that don't have
> their own IP (i.e. people who visit and bring their laptops).
> 
> My desktop machine is hooked up via ethernet.  It should get IP B.
> EVERYTHING that goes to IP B gets forwarded to that machine.
> This way protocols like Game protocols, ICQ, IRC DCC, VNC, etc.
> work without having to do port forwarding and other crap.
> But I do want firewalling for this box, so that, for example,
> I don't get infected with the Windows Worm of the Day, etc.
> 
> Same thing as above for my roomie's desktop, except it gets IP C.
> 
> Now the two laptops (as well as any other machines that people bring over
> when they visit) are a problem.  Ideally I'd like them to be NAT'ted
> behind IP A (the server, which also runs NAT); port forwarding is NOT
> necessary since we won't ever do anything on those that requires special
> port forwarding.  But they should be firewalled as well.
> 
> Ideally I'd like to do this setup on the existing hardware.  Right now,
> the server box is running FreeBSD 4.8.  If this is an unsuitable platform
> for the setup described above, and if another platofrm is more suitable
> (e.g. Linux), I suppose I could switch if necessary, tho that's not the
> optimal setup (I am very happy with the way FreeBSD works for me).
> 
> So, any idea of how to do this?  Or do I need to go buy some sort of
> expensive Cisco box or something?  (which would REALLY SUCK...)
> 
> Thanks!
> -- 
> Donald Burr of Borg <dburr at borg-cube.com> | FreeBSD: The Power to Serve!
> Website: http://www.borg-cube.com/        | http://www.freebsd.org/
> PO Box 91212, Santa Barbara CA 93190-1212 \-----------------------------
> Tel: (805)563-0672       ICQ# 16997506      Present Day... Present Time!
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 


More information about the freebsd-questions mailing list