Problem with IPFilter/IPNAT
Odhiambo Washington
wash at wananchi.com
Sat Jul 30 10:42:00 GMT 2005
I am using IPFilter and IPNat on several FreeBSD boxes. They are mostly
configured the same.
Each box has two interfaces, public and internal, and acts as a router
to the LAN which is 'behind' it. The LAN machines use the FreeBSD as the
gateway, as well as a DNS server. I run cache-only config.
The problem I have is that when, for any reason, the public link goes
down, the machines on the LAN timeout when communicating. I can simulate
this by simply pulling out the connection from the $ext_iface (assume
this is ADSL or something like that) which is connected to the ISP
upstream.
I don't know if it is my NAT configuration causing this. Here is the
/etc/ipnat.rules that I use:
I'd want a situation where network communications within the LAN
should not be affected when the circuit to the ISP is down since
it is only used for web traffic and for the mail server on the
FreeBSD router to send outbound e-mails, not local e-mails.
<cut>
# rl0 is the internal interface. rl1 is external interface.
# These redirection rules are to force users on the LAN
# to go through Squid cache.
# First we let this machine access itself because there is a web server
# on it.
# Redirect direct web traffic to local web server.
rdr rl0 192.168.100.31/32 port 80 -> 192.168.100.31 port 80 tcp
rdr rl0 192.168.100.31/32 port 443 -> 192.168.100.31 port 443 tcp
# Transparently redirect all outgoing web traffic through squid on
# port 3128
rdr rl0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128
# Also all SMTP Connections must go via localhost
rdr rl0 0.0.0.0/0 port 25 -> 127.0.0.1 port 25
# Now do NAT, but only for packets that are NOT local.
map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32 portmap tcp/udp auto
map rl1 from 192.168.100.0/24 ! to 192.168.100.0/24 -> 0/32
</cut>
What am I missing or doing wrong here???
-Wash
http://www.netmeister.org/news/learn2quote.html
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash at wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
Due to lack of disk space, this fortune database has been
discontinued.
More information about the freebsd-questions
mailing list