• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

ipnat in freebsd stumper

S

Soybomb

Diamond Member
Ok I'm lost I think. I have a firewall with 2 nics, one nic has numerous public IPs that redirect to private IP's behind the firewall. I've added another "external" NIC to put to put it on another network. My goal is to use that 3rd nic to feed traffic from the private IP range on fxp1 to IP's on the same lan as fxp2.

fxp0 > 333.333.333.1/24 (internet 1)
fxp0 > alias 333.333.333.10/32
etc more aliases on fxp0
fxp1 > 10.10.10.1/16 (internal lan - this is the range being nat'ed from fxp0 and now fxp2)
fxp 2 > 444.444.444.2/24 (internet 2)

The router on fxp2 has a static router in the form of "ip route 333.333.333.333 255.255.255.0 444.444.444.2". If I traceroute from a machine on that lan it shows 1 hop to the machine, however no traffic seems to be making it through.
The firewall itself has a rule in place in ipnat.rules to route the traffic, and a traceroute from 10.10.10.1 to 444.444.444.5 is successful with just one hop. So in short I think something's wrong with my ipnat rules thats not letting the traffic back in right.

ipnat.rules:
map fxp0 10.10.0.0/16 -> 0/32 proxy port ftp ftp/tcp
map fxp0 10.10.0.0/16 -> 0/32 portmap tcp/udp 40000:60000
map fxp0 10.10.0.0/16 -> 0/32
map fxp2 10.10.0.0/16 -> 444.444.444.2/31
rdr fxp0 333.333.333.10/32 port 80 -> 10.10.10.10 port 80
rdr fxp0 333.333.333.10/32 port 53 -> 10.10.10.10 port 53 tcp/udp
etc with the rdr's (lots of rdrs)

Firewall rules for the new interface are currently:
pass in quick on fxp2 all
pass out quick on fxp2 all
so I don't think they're causing a problem

I wonder if thats as confusing sounding as I think it will be.

I guess I could put in rdr rules for the ip on fxp2 but thats a kludge because anything that resolves in the 333.333.333.1/24 block accessed from internet 2 lan's will fail if its not explicitly mapped. Is there a way to make a new map or something that will use all the existing rdr's?
 
I don't understand a damned thing here.

fxp0 = a bunch of ip addresses?
fxp1 = 10.10.0.0/16?
fxp2 = 444.444.444.2?

Traffic works fine between fxp0 and fxp1, correct?
Traffic is not working properly between fxp1 and fxp2, correct?

I'm not sure what your static router(?) is supposed to do, but it looks like it is supposed to send everything going to 333.333.333.333 out fxp2, but do you want fxp0 and fxp2 to be talking? 😕

What's the routing table look like (netstat -rn or route show)?
What firewall software are you using? Where are the configs?
Any chance you can explain the problem better for morons like myself?
 
Yeah fxp0 is alot of public IP's nat'ed to various places on fxp1. 0-1 and 1-0 work just great. 1-2 works great too, but traffic isn't coming in over fxp2. The static route is on the router of the 444.444.444.0/24 network to keep the traffic from going over the internet (as the default route would direct it) and winding up at fxp0.

I think all the config info for the firewall related to this is above. Its Freebsd 5.3 running ipnat & ipfilter.

fxp0 has an internet address. Its been doing nat to fxp1 for years. Its an odd setup I guess but it gives us some necessary versatility in redirecting incoming traffc to different machines on the private range of IPs as necessary. Now I've added a new interface, and gave it a public ip address and connected that nic to the new networks switch. I added a static route to the router for the new network that directs traffic destined for the IP range that fxp0 deals with to the ip address of the 3rd nic on the firewall. That way traffic leaving the 2nd lan (fxp2) goes through the firewall box and not over the internet. map fxp2 10.10.0.0/16 -> 444.444.444.2/31 was added (and succcessfully) directs outbound traffic from the private IP range destinted for ips in the new network over fxp2 to that network, where otherwise the packets would be passed out the gateway of the firewall and over the internet. Traffic isn't flowing in fxp2 from the new network properly though.

I think I need a drink after that!
 
If you use tcpdump on the outside of the problem nic, do you see traffic? Do you see that traffic on the side it's supposed to exit on?
 
tcpdump on fxp2 of the firewall while I try to do a dns query from a host off fxp2's lan to an ip address assigned to fxp0 that nat's to fxp1 (holy crap) gives me that the dns server is unreachable:
20:03:46.149219 IP 444.444.444.10.63253 > 333.333.333.10.domain: 34217+ A? www.google.com. (32)
20:03:46.149337 IP 333.333.333.10 > 444.444.444.10: icmp 36: 333.333.333.10 udp port domain unreachable


tcpdump on fxp0 or fxp1 while trying to do a lookup shows nothing. So I'm wondering if:
map fxp2 10.10.0.0/16 -> 444.444.444.2/31
should actually be replaced with an ipf rule of:
pass in quick on fxp2 to fxp0:1333.333.333.1 (note: this is an ip on fxp0) from 444.444.444.0/24 to any
pass out quick on fxp1 to fxp2:444.444.444.2 (note: this is fxp2's ip address from 10.10.0.0/16 to any

Then I wouldn't be trying to do anything with nat and fxp2 directly but simply dumping all traffic from 444.444.444.0/24 on fxp0 just like it came from the internet and then sending all the traffic from the internal lan out on fxp2. fxp0/1 would handle nat as they always have. At least I think thats what would happen. Maybe. I've never used ipf like that before. Not daring enough to try it on a server 90 miles away on the weekend just yet either.






 
I don't know why people insist on complicated setups. Or maybe I'm just stupid because I can't visualize any of this. 😕

With ipfilter, you can make sure you don't have any issues. I don't remember the commands since IPFilter was replaced with something decent on OpenBSD, but you do something like ipf load newrules.file && sleep 60 && ipf load oldrules.file. With a nohup in there (or use at) it'll revert to the old rules in case something doesn't work (after sleeping for 1 minute). 😉

Doesn't route ip 333.333.333.333 255.255.255.0 444.444.444.2 tell the machine to send everything from 333.333.333.333 to 444.444.444.2? Just upping fcp2 should add a route so that everything destined for 444.444.444.0/24 should go out fxp2, right?

Does the 10.10.10.0/16 traffic need to be NATed when going on the fxp2 (444.444.444.0/24) network?
 
Heh well you know part of it is you're not often given a choice, its this is how I want it to be done, do it. Its really not terrible though, think of it as being a network with a slightly odd 1-1 nat setup. Then adding another interface to another network to the nat box.

And yeah traffic originating from the firewall or inside the 10. ip range goes out over fxp2 just fine. I would think the traffic from 10. to the fxp2 net should be nat'ed to send it back in properly over the fxp2 card.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top