BSD Router with natd and ipfw need help please
 

I am running FreeBSD 4.10-RELEASE-p3 and I have the following options in my kernel for firewalling and natd etc:

options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPDIVERT #divert sockets
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default0
options DUMMYNET # enable dummynet operation.

and in rc.conf i have:
defaultrouter="208.53.175.161"
ifconfig_lnc0="inet 208.53.175.162 netmask 255.255.255.224"
ifconfig_lnc1="inet 208.53.175.169 netmask 255.255.255.248"

Now connected to lnc1 over a crossover cable I have another BSD box using the ip 208.53.175.170, it can access the internet and stuff but I need to be able to make the first box with the ip 208.53.175.162 pass all packets incoming for 208.53.175.170 so people on the outside can access the local box.

I've tried using natd in natd.conf to get it to forward but it doesnt work, ive tried these three options in natd.conf each one at a time with no luck.
redirect_port tcp 208.53.175.170:22 208.53.175.170:22
redirect_proto tcp 208.53.175.170 208.53.175.170
redirect_address 208.53.175.170 208.53.175.170

Any help would be greatly appreciated, im trying to avoid assigning my inside network local ips such as 192.168.0.*, I want to assign them their real outside ips while the bsd machine acts as a router.

By the way the first person who gives me a successful way how to fix this I will paypal them some cash. ($50 usd).

Thanks,
Michael

Well, it sounds like you want a bridge. You can bridge two interfaces and have them "IP-less". You can't assign two interfaces with IPs on the same subnet and expect it to work.

$ man 4 bridge

Re: BSD Router with natd and ipfw need help please
 

I'm surprised it works at all. Assuming your ISP's router is .161, you have this configured incorrectly.

lnc0 has 208.53.175.160-191 on that interface, but you also have 208.53.175.168-175 on lnc1... Yes, this will thoroughly confuse the routing mechanism in the box.

chort's suggestion is probably the easiest. Keep lnc0 as it is, remove the line for lnc1 and set (in sysctl.conf):
Keep in mind that this basically turns 162 into a switch (bridges are basically switches) and will pass *all* packets to the machine on lnc1 until you get your ipfw rules on it.

P.S. 170's mask should be /27 also -- And I can't speak for chort, but I don't need your money. It's actually pretty fulfilling to help people.

.170 setup
 

ok so let me know if im correct, I now setup .170 as this in rc.conf:

defaultrouter="208.53.175.162"
ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224"

ok issue
 

Ok sigsegv I setup the machines as you said, they can ping each other but the .170 cannot ping the outside world neither can the outside world access .170

Any more VERY helpful ideas?

You've been a great help and I really appreciate it.

And should I leave natd running or disable natd altogether?

Re: .170 setup
 

defaultrouter="208.53.175.161"
ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224"

170 is talking straight through 162, not to it.

natd is not necessary in this setup

local box
 

Ok the local box is setup with these options:
defaultrouter="208.53.175.161"
ifconfig_lnc0="inet 208.53.175.170 netmask 255.255.255.224"


it can still ping the bridge but it cannot ping any outside site or ip.

natd
 

OK it was natd that was being the issue, as soon as i disabled it it worked great, man your a damn genious, if theres ever anything i can do for you or you need a shell or some thing or hosting just let me know, www.systeminplace.net support@systeminplace.net and ill hook ya up.

Re: natd
 

I appreciate the offer, and I might some day collect, but I'm good now. And just to keep anyone from begging shells and stuff in my name, I'm sending you my gpg key as soon as I punch submit. Any off-board communication will be signed with it.

Glad I was able to help ya out :D

one more issue
 

Hey one more question I have setup mrtg to montior bw and have the following
in my ipfw rules:

Router# ipfw list
30000 count ip from any to any out
30170 count ip from 208.53.175.170 to any
31000 count ip from any to any in
31170 count ip from any to 208.53.175.170
65535 allow ip from any to any
Router#

however mrtg isnt counting the packets to the machine is it because I am
using the router as a bridge? is there a way for me to ammend those rules so
that I can still monitor and block or allow ports to 208.53.175.170

Not sure on that one. I've never used MRTG to do anything but poll raw interface stats via SNMP. It looks like this should cover it though.

As for blocking while still counting -- just put the count rules before any blocks and the packets should still get counted.

mrtg
 

I have mrtg up and working on all my other boxes and its setup on this bridge but its not monitoring or catching the packets going through it to the .170 machine correctly.

what does ipfw show produce?

ipfw show
 

Router# ipfw show
30000 1325 342376 count ip from any to any out
30170 0 0 count ip from 208.53.175.170 to any out
31000 1152172 889783254 count ip from any to any in
31170 293390 431603137 count ip from any to 208.53.175.170 in
65535 1154747 890595707 allow ip from any to any
Router#

Sorry, I missed it the first time through ...

Try that