is it possible to have 2 natd ? - BSD

This is a discussion on is it possible to have 2 natd ? - BSD ; Hello I have a freebsd with a adsl ppp link. this PC act as a firewall. its network is 10.10.20.101, and the natd is used with the tun0 interface PPP PC (10.10.20.101) Switch now i ve added a internet modem/firewall ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: is it possible to have 2 natd ?

  1. is it possible to have 2 natd ?

    Hello

    I have a freebsd with a adsl ppp link.

    this PC act as a firewall. its network is 10.10.20.101, and the natd is used
    with the tun0 interface
    PPP <-> PC <-> (10.10.20.101) Switch

    now i ve added a internet modem/firewall on the same switch, on a different
    network 192.168.0.254 (i cant change it)
    PPP modem <-> PC (10.10.20.101) <-> Switch
    internet modem (192.168.0.254) <-> Switch

    i want to use this equipment for load balancing or protocol balancing, not
    sure yet.
    ATM, i want just to use it

    i added a second IP adresse on the freebsd, so the interface 10.10.20.x is
    192.168 too.
    (ifconfig inet 192.168.0.101 netmask 255.255.255.0 alias)
    PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    internet modem (192.168.0.254) <-> Switch

    now the freebsd can ping the internet modem, and even go on internet if i
    had manually some route on the freebe
    ( route add 192.168.0.254)

    now my problem, is that i have lot of TCP protocol wich are used by an
    internal proxy on another PC, with a default gateway pointing to the freebee
    firewell :
    PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    internet modem (192.168.0.254) <-> Switch
    internal proxy (10.10.20.102, GW:10.10.20.101) <-> Switch

    if i the internal proxy go through the internet modem trough a static route
    on the freebe PC, it get no answer
    i cant add static route on the internet modem
    10.10.20.102 (ask www.x) => GW
    GW (ask www.x , from 10.10.20.102) => static route => internet modem
    internet modem (ask www.x from 10.10.20.102) => get www.x
    internet modem (send back answer to 10.10.20.102) => no route here for
    10.10.20.x, i guess the packet is sent back to internet

    so i think i need some nat here: if a packet coming from 10.10.20.x go
    toward 192.168.0.254, 10.10.20.x is replaced with 192.168.0.101

    but i m not familiar with natd. is it possible to launch a second natd to
    hold that ? do i need to had some rules in my rc.firewall ?



  2. Re: is it possible to have 2 natd ?

    patrice wrote:
    > Hello
    >
    > I have a freebsd with a adsl ppp link.
    >
    > this PC act as a firewall. its network is 10.10.20.101, and the natd is used
    > with the tun0 interface
    > PPP <-> PC <-> (10.10.20.101) Switch
    >
    > now i ve added a internet modem/firewall on the same switch, on a different
    > network 192.168.0.254 (i cant change it)
    > PPP modem <-> PC (10.10.20.101) <-> Switch
    > internet modem (192.168.0.254) <-> Switch
    >
    > i want to use this equipment for load balancing or protocol balancing, not
    > sure yet.
    > ATM, i want just to use it
    >
    > i added a second IP adresse on the freebsd, so the interface 10.10.20.x is
    > 192.168 too.
    > (ifconfig inet 192.168.0.101 netmask 255.255.255.0 alias)
    > PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    > internet modem (192.168.0.254) <-> Switch
    >
    > now the freebsd can ping the internet modem, and even go on internet if i
    > had manually some route on the freebe
    > ( route add 192.168.0.254)
    >
    > now my problem, is that i have lot of TCP protocol wich are used by an
    > internal proxy on another PC, with a default gateway pointing to the freebee
    > firewell :
    > PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    > internet modem (192.168.0.254) <-> Switch
    > internal proxy (10.10.20.102, GW:10.10.20.101) <-> Switch
    >
    > if i the internal proxy go through the internet modem trough a static route
    > on the freebe PC, it get no answer
    > i cant add static route on the internet modem
    > 10.10.20.102 (ask www.x) => GW
    > GW (ask www.x , from 10.10.20.102) => static route => internet modem
    > internet modem (ask www.x from 10.10.20.102) => get www.x
    > internet modem (send back answer to 10.10.20.102) => no route here for
    > 10.10.20.x, i guess the packet is sent back to internet
    >
    > so i think i need some nat here: if a packet coming from 10.10.20.x go
    > toward 192.168.0.254, 10.10.20.x is replaced with 192.168.0.101


    You can do this by running 2 natd on 2 different divert(4) ports: the
    default one on port 8668 (natd in /etc/services) and another one e.g. 3615.

    >
    > but i m not familiar with natd. is it possible to launch a second natd to
    > hold that ? do i need to had some rules in my rc.firewall ?


    Yes a new divert line:


    /sbin/ipfw add divert 3615 all from 10.10.20.0/24 to not 10.10.20.0/24 \
    via

    and add a new script in /usr/local/etc/rc.d:

    natd_internet_modem.sh :

    #!/bin/sh
    case $1 in
    start) /sbin/natd -port 3615 -alias_address 192.168.0.101
    ;;
    esac

    I use something similar to allow access to 2 external networks using 2
    pptp managed by mpd (/usr/ports/net/mpd).

    Henri
    >
    >


  3. Re: is it possible to have 2 natd ?

    "Henri Hennebert" a écrit dans le message de
    news:etjond$8r2$1@morzine.restart.bel...
    >
    >>PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    >>internet modem (192.168.0.254) <-> Switch
    >>internal proxy (10.10.20.102, GW:10.10.20.101) <-> Switch


    > /sbin/ipfw add divert 3615 all from 10.10.20.0/24 to not 10.10.20.0/24 \
    > via
    >


    Hello Henri

    Thank you for your answer.
    Just a little precision.
    I have other PC connected to the switch , with default gateway to
    10.10.20.101 (freebe) PC
    I m not expert with ipfw, but if another pc (10.10.20.4) send ip toward
    1.2.3.4,
    this packet will go to the GW (10.10.20.101) and, i my opinion, could be
    catch by the divert line (from 10.10.20 to not 1010.20)

    does it make sense to divert only outgoing packet going explicitly to the
    internet modem ?
    add divert 3615 all from any to 192.168.0.101 out via switch>
    the goal will be to natd packets coming from everywhere and routed via :
    route add 192.168.0.254



  4. Re: is it possible to have 2 natd ?

    patrice wrote:
    > "Henri Hennebert" a écrit dans le message de
    > news:etjond$8r2$1@morzine.restart.bel...
    >>> PPP modem <-> PC (10.10.20.101,192.168.0.101) <-> Switch
    >>> internet modem (192.168.0.254) <-> Switch
    >>> internal proxy (10.10.20.102, GW:10.10.20.101) <-> Switch

    >
    >> /sbin/ipfw add divert 3615 all from 10.10.20.0/24 to not 10.10.20.0/24 \
    >> via
    >>

    >
    > Hello Henri
    >
    > Thank you for your answer.
    > Just a little precision.
    > I have other PC connected to the switch , with default gateway to
    > 10.10.20.101 (freebe) PC
    > I m not expert with ipfw, but if another pc (10.10.20.4) send ip toward
    > 1.2.3.4,
    > this packet will go to the GW (10.10.20.101) and, i my opinion, could be
    > catch by the divert line (from 10.10.20 to not 1010.20)


    Yes but only if going out via , and so via
    192.168.0.101 which is the other gateway to internet (if the route to
    1.2.3.4 say so in Freebe).

    >
    > does it make sense to divert only outgoing packet going explicitly to the
    > internet modem ?


    No because the destination is still 1.2.3.4 in the packet and not the
    address of the gateway. Information about the gateway in only in the
    enternet address (mac address in the ethernet frame -- level 2 in iso
    framework).

    > add divert 3615 all from any to 192.168.0.101 out via > switch>
    > the goal will be to natd packets coming from everywhere and routed via :
    > route add 192.168.0.254


    I think that my divert just do that because a packet coming from
    10.10.20.0/24 and going out via with a destination
    not to 10.10.20.0/24 is going to the internet and so must go through
    192.168.0.101.

    Of course, if Freebe is a gateway to the network 192.168.0/24 the divert
    line must be changed accordingly:

    add divert 3615 all from 10.10.20.0/24 to { not 10.10.20.0/24 or \
    not 192.168.0/24} via

    Henri

  5. Re: is it possible to have 2 natd ?

    "Henri Hennebert" a écrit dans le message de
    news:etm97f$15rv$1@morzine.restart.bel...
    > add divert 3615 all from 10.10.20.0/24 to { not 10.10.20.0/24 or \
    > not 192.168.0/24} via
    >



    Hello Henri

    I ve tried but it seems not working as expected.
    - natd is running
    - have added following rule:


    02100 divert 8668 ip from any to any via tun0 => this is the
    already existing rule
    02101 divert 3615 log ip from 10.10.0.0/16 to not 10.10.0.0/16 via bge0 =>
    this is the rule added
    02102 allow log logamount 10000 ip from 192.168.0.101 to any via bge0 =>
    this is rule added for log and for firewall
    02103 allow log ip from any to 192.168.0.101 via bge0 => this is rule added
    for log and for firewall

    From an outside pc: ping toward an ip routed to the modem:
    Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0 10.10.20.4
    65.168.96.71 in via bge0
    Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0 10.10.20.4
    65.168.96.71 out via bge0
    Mar 19 18:36:25 servidea kernel: ipfw: 2102 Accept ICMP:8.0 192.168.0.101
    65.168.96.71 out via bge0
    Mar 19 18:36:25 servidea kernel: ipfw: 2103 Accept ICMP:0.0 65.168.96.71
    192.168.0.101 in via bge0

    line 1 & 2 seems to say that the ping from external 10.10.20.4 is well sent
    to natd
    line 3 seems to say that natd have sent the new ping translated
    line 4 seems to say than the answer have been received

    but the PC 10.10.20.4 does not get it answer....
    do you have any idea ?



  6. Re: is it possible to have 2 natd ?

    "patrice" a écrit dans le message de
    news:45fecb78$0$6099$426a74cc@news.free.fr...
    > From an outside pc: ping toward an ip routed to the modem:
    > Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0

    10.10.20.4
    > 65.168.96.71 in via bge0
    > Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0

    10.10.20.4
    > 65.168.96.71 out via bge0
    > Mar 19 18:36:25 servidea kernel: ipfw: 2102 Accept ICMP:8.0 192.168.0.101
    > 65.168.96.71 out via bge0
    > Mar 19 18:36:25 servidea kernel: ipfw: 2103 Accept ICMP:0.0 65.168.96.71
    > 192.168.0.101 in via bge0
    >


    ok, i ve found, it is need to divert outgoing traffic as well as incoming
    traffic

    outgoing : divert 3615 ip from 10.10.0.0/16 to not 10.10.0.0/16 via bge0
    incoming: divert 3615 ip from any to 192.168.0.101 in via bge0

    192.168.0.101 is the ip aliased by natd, so every answer coming back for
    natd should be divert to natd



  7. Re: is it possible to have 2 natd ?

    patrice wrote:
    > "patrice" a écrit dans le message de
    > news:45fecb78$0$6099$426a74cc@news.free.fr...
    >> From an outside pc: ping toward an ip routed to the modem:
    >> Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0

    > 10.10.20.4
    >> 65.168.96.71 in via bge0
    >> Mar 19 18:36:25 servidea kernel: ipfw: 2101 Divert 3615 ICMP:8.0

    > 10.10.20.4
    >> 65.168.96.71 out via bge0
    >> Mar 19 18:36:25 servidea kernel: ipfw: 2102 Accept ICMP:8.0 192.168.0.101
    >> 65.168.96.71 out via bge0
    >> Mar 19 18:36:25 servidea kernel: ipfw: 2103 Accept ICMP:0.0 65.168.96.71
    >> 192.168.0.101 in via bge0
    >>

    >
    > ok, i ve found, it is need to divert outgoing traffic as well as incoming
    > traffic
    >
    > outgoing : divert 3615 ip from 10.10.0.0/16 to not 10.10.0.0/16 via bge0
    > incoming: divert 3615 ip from any to 192.168.0.101 in via bge0
    >
    > 192.168.0.101 is the ip aliased by natd, so every answer coming back for
    > natd should be divert to natd


    OK, my divert was too restrictive to take response into account. Your
    incoming rule take care of this.

    Thank you for the follow up.

    Henri

    >
    >


  8. Re: is it possible to have 2 natd ?

    "patrice" a écrit dans le message de
    news:45ff92e2$0$21501$426a34cc@news.free.fr...
    > ok, i ve found, it is need to divert outgoing traffic as well as incoming
    > traffic
    >
    > outgoing : divert 3615 ip from 10.10.0.0/16 to not 10.10.0.0/16 via

    bge0
    > incoming: divert 3615 ip from any to 192.168.0.101 in via bge0
    >
    > 192.168.0.101 is the ip aliased by natd, so every answer coming back for
    > natd should be divert to natd
    >


    to be exact, a out is need too
    divert 3615 ip from 10.10.0.0/16 to not 10.10.0.0/16 out via bge0

    if not, valid packet coming from 10.10.x to external internet (ping
    1.2.3.4) are received by freebe because it is the GW.
    freebe must decide before diverting if the route is via the freebe default
    GW or via natd
    if route is via natd, freebe will send the packet out to bge0 and this
    packet will be divert




+ Reply to Thread