BSD Router with natd and ipfw need help please
I am running FreeBSD 4.10-RELEASE-p3 and I have the following options in my kernel for firewalling and natd etc:
options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPDIVERT #divert sockets options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default0 options DUMMYNET # enable dummynet operation. and in rc.conf i have: defaultrouter="208.53.175.161" ifconfig_lnc0="inet 208.53.175.162 netmask 255.255.255.224" ifconfig_lnc1="inet 208.53.175.169 netmask 255.255.255.248" Now connected to lnc1 over a crossover cable I have another BSD box using the ip 208.53.175.170, it can access the internet and stuff but I need to be able to make the first box with the ip 208.53.175.162 pass all packets incoming for 208.53.175.170 so people on the outside can access the local box. I've tried using natd in natd.conf to get it to forward but it doesnt work, ive tried these three options in natd.conf each one at a time with no luck. redirect_port tcp 208.53.175.170:22 208.53.175.170:22 redirect_proto tcp 208.53.175.170 208.53.175.170 redirect_address 208.53.175.170 208.53.175.170 Any help would be greatly appreciated, im trying to avoid assigning my inside network local ips such as 192.168.0.*, I want to assign them their real outside ips while the bsd machine acts as a router. By the way the first person who gives me a successful way how to fix this I will paypal them some cash. ($50 usd). Thanks, Michael |
Well, it sounds like you want a bridge. You can bridge two interfaces and have them "IP-less". You can't assign two interfaces with IPs on the same subnet and expect it to work.
$ man 4 bridge |
Re: BSD Router with natd and ipfw need help please
Quote:
lnc0 has 208.53.175.160-191 on that interface, but you also have 208.53.175.168-175 on lnc1... Yes, this will thoroughly confuse the routing mechanism in the box. chort's suggestion is probably the easiest. Keep lnc0 as it is, remove the line for lnc1 and set (in sysctl.conf): Code:
net.link.ether.bridge_cfg=lnc0,lnc1 P.S. 170's mask should be /27 also -- And I can't speak for chort, but I don't need your money. It's actually pretty fulfilling to help people. |
.170 setup
ok so let me know if im correct, I now setup .170 as this in rc.conf:
defaultrouter="208.53.175.162" ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224" |
ok issue
Ok sigsegv I setup the machines as you said, they can ping each other but the .170 cannot ping the outside world neither can the outside world access .170
Any more VERY helpful ideas? You've been a great help and I really appreciate it. And should I leave natd running or disable natd altogether? |
Re: .170 setup
defaultrouter="208.53.175.161"
ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224" 170 is talking straight through 162, not to it. natd is not necessary in this setup |
local box
Ok the local box is setup with these options:
defaultrouter="208.53.175.161" ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224" it can still ping the bridge but it cannot ping any outside site or ip. |
natd
OK it was natd that was being the issue, as soon as i disabled it it worked great, man your a damn genious, if theres ever anything i can do for you or you need a shell or some thing or hosting just let me know, www.systeminplace.net support@systeminplace.net and ill hook ya up.
|
Re: natd
I appreciate the offer, and I might some day collect, but I'm good now. And just to keep anyone from begging shells and stuff in my name, I'm sending you my gpg key as soon as I punch submit. Any off-board communication will be signed with it.
Glad I was able to help ya out :D |
one more issue
Hey one more question I have setup mrtg to montior bw and have the following
in my ipfw rules: Router# ipfw list 30000 count ip from any to any out 30170 count ip from 208.53.175.170 to any 31000 count ip from any to any in 31170 count ip from any to 208.53.175.170 65535 allow ip from any to any Router# however mrtg isnt counting the packets to the machine is it because I am using the router as a bridge? is there a way for me to ammend those rules so that I can still monitor and block or allow ports to 208.53.175.170 |
Not sure on that one. I've never used MRTG to do anything but poll raw interface stats via SNMP. It looks like this should cover it though.
As for blocking while still counting -- just put the count rules before any blocks and the packets should still get counted. |
mrtg
I have mrtg up and working on all my other boxes and its setup on this bridge but its not monitoring or catching the packets going through it to the .170 machine correctly.
|
what does ipfw show produce?
|
ipfw show
Router# ipfw show
30000 1325 342376 count ip from any to any out 30170 0 0 count ip from 208.53.175.170 to any out 31000 1152172 889783254 count ip from any to any in 31170 293390 431603137 count ip from any to 208.53.175.170 in 65535 1154747 890595707 allow ip from any to any Router# |
Sorry, I missed it the first time through ...
Code:
30170 count ip from 208.53.175.170 to any |
All times are GMT -5. The time now is 04:28 AM. |