Difficulties establishing VPN tunnel with IPNAT
Jerahmy Pocott
quakenet1 at optusnet.com.au
Tue Nov 27 07:07:06 PST 2007
On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote:
>> -----Original Message-----
>> From: Jerahmy Pocott [mailto:quakenet1 at optusnet.com.au]
>> Sent: Sunday, November 25, 2007 4:48 AM
>> To: Ted Mittelstaedt
>> Cc: FreeBSD Questions
>> Subject: Re: Difficulties establishing VPN tunnel with IPNAT
>>
>>
>> Perhaps, but I'v heard a lot of good things about IPF and IPNAT,
>> especially since the nat is all in kernel where as natd is
>> userland, so
>> there is a slight performance boost possibly there as well..
>>
>
> I will address this one point here since it's enough to make
> someone scream, it's such an old chestnut.
>
> natd is always criticized because going to userland is slow. So,
> people who have slowness problems think that is the issue.
>
> In reality, the problem is that the DEFAULT setup and man page
> examples for natd use the following ipfw divert rule:
>
> /sbin/ipfw -f flush
> /sbin/ipfw add divert natd all from any to any via ed0
> /sbin/ipfw add pass all from any to any
>
> This produces a rule such as the following:
>
> 00050 divert 8668 ip from any to any via de0
>
> The problem though, is this is wrong. What it is doing is that
> ALL traffic that comes into and out of the box - no matter what
> the source and destination is - will be passed to the natd translator.
>
> What you SHOULD be using is a set of commands such:
>
> ipfw add divert natd ip from any to [outside IP address] in recv
> [outside
> interface]
> ipfw add divert natd ip from not [outside IP address] to any out recv
> [inside interface] xmit [outside interface]
That does make a lot of sense!
How ever the 2nd rule is slightly confusing me.. Shouldn't it be
something
like: divert natd ip from [internal net range] to any out via
[outside if]?
Cheers,
J.
More information about the freebsd-questions
mailing list