• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

NAT on FreeBSD / Linux - for two networks on one server..

hi,

I have a NAT installation on FreeBSD 4.x
and I recently added another NIC to cater for another network. like this:

                     public IP (xl0)
                       |
                      NATD
                       |--------------
                       | fxp0         | dc0
           (existing)10.x.x.x   20.x.x.x (new)

I tried to mofidy my natd.conf to cater for this new network as well.

port 8668
interface fxp0
use_sockets yes
same_ports yes
dynamic yes

# permanent_link tcp 10.0.0.244:login 0:0 login

# permanent_link tcp 10.0.0.244:telnet 0:0 telnet
# permanent_link udp 10.0.0.244:telnet 0:0 telnet

permanent_link tcp 10.0.0.244:http 0:0 http
permanent_link udp 10.0.0.244:http 0:0 http

permanent_link tcp 10.0.0.244:smtp 0:0 smtp
permanent_link udp 10.0.0.244:smtp 0:0 smtp

permanent_link tcp 10.0.0.244:ssh 0:0 ssh
permanent_link udp 10.0.0.244:ssh 0:0 ssh

# this is for 20.x.x.x subnet - new
permanent_link tcp 20.0.0.244:http 0:0 http
permanent_link udp 20.0.0.244:http 0:0 http

permanent_link tcp 20.0.0.244:smtp 0:0 smtp
permanent_link udp 20.0.0.244:smtp 0:0 smtp

permanent_link tcp 20.0.0.244:ssh 0:0 ssh
permanent_link udp 20.0.0.244:ssh 0:0 ssh  

Results:
10.x.x.x NAT to public IP still works but 20.x.x.x NAT to public IP
does not work. I can ping gateway 20.0.0.244 from my client 20.0.0.9
(eg) but I cannot ping Internet hosts such as wwww.yahoo.com. Meaning
that the local network is ok but the NAT for 20.x.x.x is not.

I also have IPFW running but I have duplicated the rules for 20.x.x.x
so it shouldn't pose a problem.

Please advice...!
Thanks
0
Haho
Asked:
Haho
  • 4
  • 3
  • 2
1 Solution
 
The--CaptainCommented:
jlevie is the guy to talk to about FreeBSD - I will try to get him into this discussion...

-Jon

0
 
jlevieCommented:
The trivial solution is to change the 20.0.0.0 network to be a subnet of the 10/8 net. Perhaps something like 10.0.0.0/24 for the existing net and 10.0.1.0/8 for the second network (netmasks for each are 255.255.255.0). Then masquerade the Class A net onto your outside IP. Now if you have more than one outside IP you probably need to be using IPFilter, which has no problem wiith handing multiple outside IP's and can do all of the forrms of NAT.
0
 
HahoAuthor Commented:
my existing network is 10.0.0.0/8.
how does your recommendation work in this case?
Please advice.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jlevieCommented:
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP? I suspect not and that you'd be able to renumber the existing network to use a Class C subnet of the Class A. If you find that too restrictive subnet it into Class B's (65534 nodes/subnet). Then give one of the Class C's or Class B's to the '20.0.0.0' network and NPAT the Class A, per above.

It's not completely clear from the question, but I've been using the assumption that you only have a single outside IP. I don't know of any way other than having a contiguous IP range of doing NPAT onto a single IP. And NPAT (aka IP Masquerade, aka Network Port Address Translation) is what we are talking about if there is only a single outside IP. I suspect the lack of support for discontiguous IP ranges is directly related to the way NPAT works and is typically implemented. Since there is a distinct limit on the number of translation slots (65535) available when using a single outside IP, and since one can pick an RFC 1918 network that will easily cover the number of available slots, there would seem to be little point in coding the NPAT support to allow for discontiguous inside networks. Such support would probably have little use and could easily be 'worked around' by using subnets of a Class B and using NPAT translation for the Class B (or a portion thereof).

Other solutions are possible if you have a netblock with at least two useable outside IP's. My reading of the doc's indicates that IPFilter should support two NPAT statements, each to a different outside IP. It isn't completely clear to me that you can do the same with IPFW.  
0
 
The--CaptainCommented:
Haho - to clarify/summarize what I think Jim is trying to say (good lecture BTW, if a bit dry)...

There should be no technical reason why you cannot make two changes and have everything working.

Change network 10.0.0.0/8 to be 10.0.0.0/9
Change network 20.0.0.0/8 to be 10.128.0.0/9

which would leave you with around 8 million available hosts in each network.

If that is not acceptable, please state why.

If it is, give points to Jim (jlevie).

-Jon

0
 
HahoAuthor Commented:
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP?

Yes, one single IP. No, I don't need many nodes. :) In fact, a Class C is more than enough.
Would this work well?

Current: 10.0.0.0/24
New : 10.0.1.0/24

Thxs!

0
 
The--CaptainCommented:
I don't see why not...

-Jon
0
 
The--CaptainCommented:
In other words:

Yeah, using 10.0.0.0 and 10.0.1.0 should be fine...

I think the thing to remember is that if all of 10.0.0.0/8
works for you (via NAT), then any subset of that should word, no matter how you care to divide it...

-Jon
0
 
HahoAuthor Commented:
Thanks to both of you!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now