FreeBSD 5.3 running ipfilter and ipnat
fxp0 - (internet interface) 100.0.0.100 and also aliases of (100.0.0.103, 100.0.0.108)
fxp1 - (internal lan) 10.10.0.1
fxp2 - (internet interface) 200.0.0.100
fxp0 and fxp1 and have been setup and running for a long time. Servers and workstations are behind fxp1, fxp0 accepts incoming traffic and routes it to the appropriate incoming server thanks to ipnat, then ipfilter either allows or disallows it. fxp2 was just recently added. Heres the goal. I want to use the fxp2 link as a shortcut to get to certain servers doesn't have to go across the internet to get there. All other traffic should go over the internet.
So for example:
10.10.0.25 (random workstation behind nat on fxp1) will access the internet via fxp0 (traffic goes to 10.10.0.1 since its the default route, then the box sends it on to the network's router).
200.0.0.24 (random workstation fxp2 lan) will access the internet (including 100.0.0.103, etc) via the default route which would be the router for that network
200.0.0.10 (server on fxp2 lan) will access server 100.0.0.108 using nat over fxp2 by making the requests on 200.0.0.100
ipnat.rules:
map fxp0 10.10.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map fxp0 10.10.0.0/16 -> 0/32 portmap tcp/udp 40000:60000
map fxp0 10.10.0.0/16 -> 0/32
map fxp2 10.10.0.0/16 -> 0/32 portmap tcp/udp 40000:60000
map fxp2 10.10.0.0/16 -> 0/32
rdr fxp0 100.0.0.103/32 port 80 -> 10.10.10.10 port 80
rdr fxp0 100.0.0.108/32 port 53 -> 10.10.10.10 port 53 tcp/udp
rdr fxp2 200.0.0.100/32 port 53 -> 10.10.10.20 port 53 tcp/udp
rdr fxp2 200.0.0.100/32 port 3306 -> 10.10.10.21 port 3306
etc with the rdr's (lots of rdrs)
Firewall rules for the new interface are currently:
pass in quick on fxp2 all
pass out quick on fxp2 all
Okay so, so far, so good. From a machine on the 200.0.0.0/24 lan I can login to 10.10.10.21's mysql server is i use 200.0.0.100 as the hostname. The 10.10.0.1 lan can get to devices on lan2's ip range. However if I say try to do a nslookup from a machine on 200.0.0.100 to 100.0.0.108 (so from lan 2, across the internet, to a nat'ed ip on fxp0) I get:
reply from unexpected source: 200.0.0.100#40007, expected 100.0.0.108#53
So I've messed up something with my nat'ting I think. I'm guessing my ipf rules need to have something like:
pass out quick on fxp2 to fxp1:100.0.0.1 from 200.0.0.100/32 to any
but I just haven't found the right combination to make all this work yet. Any suggestions are greatly appreciated!
fxp0 - (internet interface) 100.0.0.100 and also aliases of (100.0.0.103, 100.0.0.108)
fxp1 - (internal lan) 10.10.0.1
fxp2 - (internet interface) 200.0.0.100
fxp0 and fxp1 and have been setup and running for a long time. Servers and workstations are behind fxp1, fxp0 accepts incoming traffic and routes it to the appropriate incoming server thanks to ipnat, then ipfilter either allows or disallows it. fxp2 was just recently added. Heres the goal. I want to use the fxp2 link as a shortcut to get to certain servers doesn't have to go across the internet to get there. All other traffic should go over the internet.
So for example:
10.10.0.25 (random workstation behind nat on fxp1) will access the internet via fxp0 (traffic goes to 10.10.0.1 since its the default route, then the box sends it on to the network's router).
200.0.0.24 (random workstation fxp2 lan) will access the internet (including 100.0.0.103, etc) via the default route which would be the router for that network
200.0.0.10 (server on fxp2 lan) will access server 100.0.0.108 using nat over fxp2 by making the requests on 200.0.0.100
ipnat.rules:
map fxp0 10.10.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map fxp0 10.10.0.0/16 -> 0/32 portmap tcp/udp 40000:60000
map fxp0 10.10.0.0/16 -> 0/32
map fxp2 10.10.0.0/16 -> 0/32 portmap tcp/udp 40000:60000
map fxp2 10.10.0.0/16 -> 0/32
rdr fxp0 100.0.0.103/32 port 80 -> 10.10.10.10 port 80
rdr fxp0 100.0.0.108/32 port 53 -> 10.10.10.10 port 53 tcp/udp
rdr fxp2 200.0.0.100/32 port 53 -> 10.10.10.20 port 53 tcp/udp
rdr fxp2 200.0.0.100/32 port 3306 -> 10.10.10.21 port 3306
etc with the rdr's (lots of rdrs)
Firewall rules for the new interface are currently:
pass in quick on fxp2 all
pass out quick on fxp2 all
Okay so, so far, so good. From a machine on the 200.0.0.0/24 lan I can login to 10.10.10.21's mysql server is i use 200.0.0.100 as the hostname. The 10.10.0.1 lan can get to devices on lan2's ip range. However if I say try to do a nslookup from a machine on 200.0.0.100 to 100.0.0.108 (so from lan 2, across the internet, to a nat'ed ip on fxp0) I get:
reply from unexpected source: 200.0.0.100#40007, expected 100.0.0.108#53
So I've messed up something with my nat'ting I think. I'm guessing my ipf rules need to have something like:
pass out quick on fxp2 to fxp1:100.0.0.1 from 200.0.0.100/32 to any
but I just haven't found the right combination to make all this work yet. Any suggestions are greatly appreciated!
Facebook
Twitter