The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Re: Having problems with NATD and internal Traffic back to localhost on private
Author: halber_mensch 
Date:   06-12-05 17:11

Remember that natd is bound to your external interface (rl0), and never sees your LAN traffic hitting the internal interface (dc0).

This rule:
00150 divert 8668 ip from any to any via rl0

sticks only rl0 traffic into the natd divert socket.

Now you might think you would be able to divert incoming port 80 and 22 dc0 traffic destined for the bound external address to the natd divert socket, but that may break your routing. I've never tried this and I am not in a position that I can try it on my home network right now, but these rules:

divert 8668 tcp from any to publicaddress dst-port 22 in via dc0
divert 8668 udp from any to publicaddress dst-port 22 in via dc0
divert 8668 tcp from any to publicaddress dst-port 80 in via dc0

will force the router to push incoming port 80 and 22 traffic from the internal interface to first go through the natd daemon, which should then perform translation. But only this half of the connection works, though, because the webserver will respond to the router on a port that will not divert back to natd. Basically the setup you are attempting to acheive is too complicated to be easily done without fragmenting the network.

I would suggest that you create an alias for dc0 that exists on a separate logical network, say 10.10.1.1/24. This network is your "DMZ" that you can stick all of your servers in that the public system should use for forwarding services.

ifconfig dc0 alias inet 10.10.1.1/24 10.10.1.0

Re-address the webserver to bind to the address 10.10.1.80/24 and use 10.10.1.1 as its gateway, and change your current natd configuration to redirect ports 80 and 22 to this new address.

Next, create another configuration file for natd with the following options:

log yes
deny_incoming no
port 8669
use_sockets yes
same_ports yes
verbose no
alias_address 10.10.10.1
unregistered_only yes
redirect_port udp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:22 22

This will be your internal network's natd configuration. Run a seperate instance of natd sourcing this configuration ( -f option ). Add these rules to ipfw:

divert 8669 tcp from any to publicaddress in via dc0 dst-port 80
divert 8669 tcp from any to publicaddress in via dc0 dst-port 22
divert 8669 udp from any to publicaddress in via dc0 dst-port 22

This may require tweaking, but it should force your lan traffic to port 80 and 22 on the router to be translated seamlessly to the web server and replies translated back to the correct addresses.

Now I'm a seasoned net vet, but I may have made mistakes in my theory here. It's highly possible I've made some oversights.

-=halber_mensch=-

Post Edited (06-12-05 10:59)

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Having problems with NATD and internal Traffic back to localhost on private LAN   new
bsddizzy 05-12-05 18:43 
 Re: Having problems with NATD and internal Traffic back to localhost on private   new
halber_mensch 06-12-05 17:11 
 Good job   new
Dan 06-12-05 18:10 
 Re: Good job   new
halber_mensch 06-12-05 19:03 
 Re: Having problems with NATD and internal Traffic back to localhost on private   new
bsddizzy 07-12-05 22:54 
 Re: Having problems with NATD and internal Traffic back to localhost on private   new
bsddizzy 07-12-05 22:54 
 Re: Having problems with NATD and internal Traffic back to localhost on private   new
halber_mensch 08-12-05 14:27 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org