Solved

NAT on FreeBSD / Linux - for two networks on one server..

Posted on 2001-08-08
9
354 Views
Last Modified: 2010-03-18
hi,

I have a NAT installation on FreeBSD 4.x
and I recently added another NIC to cater for another network. like this:

                     public IP (xl0)
                       |
                      NATD
                       |--------------
                       | fxp0         | dc0
           (existing)10.x.x.x   20.x.x.x (new)

I tried to mofidy my natd.conf to cater for this new network as well.

port 8668
interface fxp0
use_sockets yes
same_ports yes
dynamic yes

# permanent_link tcp 10.0.0.244:login 0:0 login

# permanent_link tcp 10.0.0.244:telnet 0:0 telnet
# permanent_link udp 10.0.0.244:telnet 0:0 telnet

permanent_link tcp 10.0.0.244:http 0:0 http
permanent_link udp 10.0.0.244:http 0:0 http

permanent_link tcp 10.0.0.244:smtp 0:0 smtp
permanent_link udp 10.0.0.244:smtp 0:0 smtp

permanent_link tcp 10.0.0.244:ssh 0:0 ssh
permanent_link udp 10.0.0.244:ssh 0:0 ssh

# this is for 20.x.x.x subnet - new
permanent_link tcp 20.0.0.244:http 0:0 http
permanent_link udp 20.0.0.244:http 0:0 http

permanent_link tcp 20.0.0.244:smtp 0:0 smtp
permanent_link udp 20.0.0.244:smtp 0:0 smtp

permanent_link tcp 20.0.0.244:ssh 0:0 ssh
permanent_link udp 20.0.0.244:ssh 0:0 ssh  

Results:
10.x.x.x NAT to public IP still works but 20.x.x.x NAT to public IP
does not work. I can ping gateway 20.0.0.244 from my client 20.0.0.9
(eg) but I cannot ping Internet hosts such as wwww.yahoo.com. Meaning
that the local network is ok but the NAT for 20.x.x.x is not.

I also have IPFW running but I have duplicated the rules for 20.x.x.x
so it shouldn't pose a problem.

Please advice...!
Thanks
0
Comment
Question by:Haho
  • 4
  • 3
  • 2
9 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 6367256
jlevie is the guy to talk to about FreeBSD - I will try to get him into this discussion...

-Jon

0
 
LVL 40

Expert Comment

by:jlevie
ID: 6368005
The trivial solution is to change the 20.0.0.0 network to be a subnet of the 10/8 net. Perhaps something like 10.0.0.0/24 for the existing net and 10.0.1.0/8 for the second network (netmasks for each are 255.255.255.0). Then masquerade the Class A net onto your outside IP. Now if you have more than one outside IP you probably need to be using IPFilter, which has no problem wiith handing multiple outside IP's and can do all of the forrms of NAT.
0
 
LVL 1

Author Comment

by:Haho
ID: 6370927
my existing network is 10.0.0.0/8.
how does your recommendation work in this case?
Please advice.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
ID: 6371192
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP? I suspect not and that you'd be able to renumber the existing network to use a Class C subnet of the Class A. If you find that too restrictive subnet it into Class B's (65534 nodes/subnet). Then give one of the Class C's or Class B's to the '20.0.0.0' network and NPAT the Class A, per above.

It's not completely clear from the question, but I've been using the assumption that you only have a single outside IP. I don't know of any way other than having a contiguous IP range of doing NPAT onto a single IP. And NPAT (aka IP Masquerade, aka Network Port Address Translation) is what we are talking about if there is only a single outside IP. I suspect the lack of support for discontiguous IP ranges is directly related to the way NPAT works and is typically implemented. Since there is a distinct limit on the number of translation slots (65535) available when using a single outside IP, and since one can pick an RFC 1918 network that will easily cover the number of available slots, there would seem to be little point in coding the NPAT support to allow for discontiguous inside networks. Such support would probably have little use and could easily be 'worked around' by using subnets of a Class B and using NPAT translation for the Class B (or a portion thereof).

Other solutions are possible if you have a netblock with at least two useable outside IP's. My reading of the doc's indicates that IPFilter should support two NPAT statements, each to a different outside IP. It isn't completely clear to me that you can do the same with IPFW.  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6371496
Haho - to clarify/summarize what I think Jim is trying to say (good lecture BTW, if a bit dry)...

There should be no technical reason why you cannot make two changes and have everything working.

Change network 10.0.0.0/8 to be 10.0.0.0/9
Change network 20.0.0.0/8 to be 10.128.0.0/9

which would leave you with around 8 million available hosts in each network.

If that is not acceptable, please state why.

If it is, give points to Jim (jlevie).

-Jon

0
 
LVL 1

Author Comment

by:Haho
ID: 6376588
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP?

Yes, one single IP. No, I don't need many nodes. :) In fact, a Class C is more than enough.
Would this work well?

Current: 10.0.0.0/24
New : 10.0.1.0/24

Thxs!

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6376709
I don't see why not...

-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6376982
In other words:

Yeah, using 10.0.0.0 and 10.0.1.0 should be fine...

I think the thing to remember is that if all of 10.0.0.0/8
works for you (via NAT), then any subset of that should word, no matter how you care to divide it...

-Jon
0
 
LVL 1

Author Comment

by:Haho
ID: 6377436
Thanks to both of you!
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Embeded Linux on Router 9 110
for ssh without password, are both ways correct 16 77
Webmin Bandwidth Monitoring not working 10 166
What are recommended OS for exim mail server? 10 121
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question