Solved

NAT on FreeBSD / Linux - for two networks on one server..

Posted on 2001-08-08
9
340 Views
Last Modified: 2010-03-18
hi,

I have a NAT installation on FreeBSD 4.x
and I recently added another NIC to cater for another network. like this:

                     public IP (xl0)
                       |
                      NATD
                       |--------------
                       | fxp0         | dc0
           (existing)10.x.x.x   20.x.x.x (new)

I tried to mofidy my natd.conf to cater for this new network as well.

port 8668
interface fxp0
use_sockets yes
same_ports yes
dynamic yes

# permanent_link tcp 10.0.0.244:login 0:0 login

# permanent_link tcp 10.0.0.244:telnet 0:0 telnet
# permanent_link udp 10.0.0.244:telnet 0:0 telnet

permanent_link tcp 10.0.0.244:http 0:0 http
permanent_link udp 10.0.0.244:http 0:0 http

permanent_link tcp 10.0.0.244:smtp 0:0 smtp
permanent_link udp 10.0.0.244:smtp 0:0 smtp

permanent_link tcp 10.0.0.244:ssh 0:0 ssh
permanent_link udp 10.0.0.244:ssh 0:0 ssh

# this is for 20.x.x.x subnet - new
permanent_link tcp 20.0.0.244:http 0:0 http
permanent_link udp 20.0.0.244:http 0:0 http

permanent_link tcp 20.0.0.244:smtp 0:0 smtp
permanent_link udp 20.0.0.244:smtp 0:0 smtp

permanent_link tcp 20.0.0.244:ssh 0:0 ssh
permanent_link udp 20.0.0.244:ssh 0:0 ssh  

Results:
10.x.x.x NAT to public IP still works but 20.x.x.x NAT to public IP
does not work. I can ping gateway 20.0.0.244 from my client 20.0.0.9
(eg) but I cannot ping Internet hosts such as wwww.yahoo.com. Meaning
that the local network is ok but the NAT for 20.x.x.x is not.

I also have IPFW running but I have duplicated the rules for 20.x.x.x
so it shouldn't pose a problem.

Please advice...!
Thanks
0
Comment
Question by:Haho
  • 4
  • 3
  • 2
9 Comments
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
jlevie is the guy to talk to about FreeBSD - I will try to get him into this discussion...

-Jon

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The trivial solution is to change the 20.0.0.0 network to be a subnet of the 10/8 net. Perhaps something like 10.0.0.0/24 for the existing net and 10.0.1.0/8 for the second network (netmasks for each are 255.255.255.0). Then masquerade the Class A net onto your outside IP. Now if you have more than one outside IP you probably need to be using IPFilter, which has no problem wiith handing multiple outside IP's and can do all of the forrms of NAT.
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
my existing network is 10.0.0.0/8.
how does your recommendation work in this case?
Please advice.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
Comment Utility
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP? I suspect not and that you'd be able to renumber the existing network to use a Class C subnet of the Class A. If you find that too restrictive subnet it into Class B's (65534 nodes/subnet). Then give one of the Class C's or Class B's to the '20.0.0.0' network and NPAT the Class A, per above.

It's not completely clear from the question, but I've been using the assumption that you only have a single outside IP. I don't know of any way other than having a contiguous IP range of doing NPAT onto a single IP. And NPAT (aka IP Masquerade, aka Network Port Address Translation) is what we are talking about if there is only a single outside IP. I suspect the lack of support for discontiguous IP ranges is directly related to the way NPAT works and is typically implemented. Since there is a distinct limit on the number of translation slots (65535) available when using a single outside IP, and since one can pick an RFC 1918 network that will easily cover the number of available slots, there would seem to be little point in coding the NPAT support to allow for discontiguous inside networks. Such support would probably have little use and could easily be 'worked around' by using subnets of a Class B and using NPAT translation for the Class B (or a portion thereof).

Other solutions are possible if you have a netblock with at least two useable outside IP's. My reading of the doc's indicates that IPFilter should support two NPAT statements, each to a different outside IP. It isn't completely clear to me that you can do the same with IPFW.  
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Haho - to clarify/summarize what I think Jim is trying to say (good lecture BTW, if a bit dry)...

There should be no technical reason why you cannot make two changes and have everything working.

Change network 10.0.0.0/8 to be 10.0.0.0/9
Change network 20.0.0.0/8 to be 10.128.0.0/9

which would leave you with around 8 million available hosts in each network.

If that is not acceptable, please state why.

If it is, give points to Jim (jlevie).

-Jon

0
 
LVL 1

Author Comment

by:Haho
Comment Utility
Do you actually use all of that address space (16777214 nodes) and NPAT that into a single outside IP?

Yes, one single IP. No, I don't need many nodes. :) In fact, a Class C is more than enough.
Would this work well?

Current: 10.0.0.0/24
New : 10.0.1.0/24

Thxs!

0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I don't see why not...

-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
In other words:

Yeah, using 10.0.0.0 and 10.0.1.0 should be fine...

I think the thing to remember is that if all of 10.0.0.0/8
works for you (via NAT), then any subset of that should word, no matter how you care to divide it...

-Jon
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
Thanks to both of you!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now