|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|
|||
double nat routing
hi all
I'have got a networking issue that make me crazy... Code:
+--------+ |--web --| +--------+ | | 88.99.100.0/26 (em1) +--------+ |-gate1--| +--------+ 10.0.1.1 (em0) | | +---------+ +---------10.0.1.5---|webserver| | +---------+ | 10.0.1.20 (bce0) +--------+ |-gate2--| +--------+ 192.168.4.1 (bce1) | | 192.168.4.2 +--------+ |client1-| +--------+ In a network like that, where gate1 nat on interface em1 gate2 nat on interface bce0 both are freebsd gateway machine with ipfw+natd So... client1 can access on internet, but cant access on my internal webserver Is not a problem of ipfw rules. I'm sure. I suppose the route to internal webserver can establish but cant'return to client1 any suggestions? Thanks |
|
|||
Thanks
I have already tried your hint... an it's work well. Traffic from 192.168.4/24 is routed by gate1 (10.0.1.1). It's work fine but I would try to find different solution, where traffic from two subnet are completely separate. It's just for a security doubt (I guess, double nat = double security ...or perhaps is it only my figment?). I think is not a config problem, but a networking concept that I lack. I would try to find a solution where traffic from 192.168.4/24 is traslated, and clients from that subnet should access to web and to my internal webserver too. Assuming that clients have not route for 192.168.4/24 net, I try to access webserver trough public ip. (webserver have a public ip NATted (88.99.100.5) for make it accessible from web) I can ping but not browsing... dont know wheres my mistake... but I going to think that I cant do it. I post some tcpdump output so from 192.168.4.29 to 88.99.100.5:80 tcpdump from gate2 (192.168.4.1) bce1: 15:55:56.724706 IP 192.168.4.29.1196 > 88.99.100.5.80: S 4234213476:4234213476(0) win 16384 <mss 1460,nop,nop,sackOK> 15:55:56.725162 IP 88.99.100.5.80 > 192.168.4.29.1196: R 0:0(0) ack 4234213477 win 0 traslated to gate2 (10.0.1.20) bce0: 16:05:08.531149 IP 10.0.1.20.1731 > 88.99.100.5.80: S 3351163259:3351163259(0) win 16384 <mss 1460,nop,nop,sackOK> 16:05:08.531381 IP 88.99.100.5.80 > 10.0.1.20.1731: R 0:0(0) ack 3351163260 win 0 go to gate1 (10.0.1.1) em0: 16:10:07.703668 10.0.1.20.1964 > 88.99.100.5.80: S 338450095:338450095(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 16:10:07.703676 88.99.100.5.80 > 10.0.1.20.1964: R 0:0(0) ack 1 win 0 (DF) and here stop it's route... I suppose... sorry for messy explanation... |
|
||||
You need to do the NAT for the web server on the incoming interfaces of both firewalls (in relation to the web server).
IOW, you need a NAT rule on gate1 (em1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the Internet. Then you need a NAT rule on gate2 (bce1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the local network. Better still is to implement proper split DNS, such that DNS requests from the Internet resolve to the 88.99.100.x address, and DNS requests from the local network resolve to a 192.168.4.x address (which is an alias on gate2 with 1-1 NAT for the web server). |
|
|||
Oh my gosh..... It's right!!!
Thankssssssssssss! I was blind! |
|
||||
Alternatively, if these are located in the same building, you can consolidate the two gateX boxes into a single firewall with three NICs: 1 connected to the Internet, 1 connected to the DMZ, 1 connected to the local LAN. Then you just write all your rules on a single box. Just be sure to write very specific rules, including the interface and direction (in recv em0 not via em0, for example).
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ipfw ruleset double check | l2fl2f | FreeBSD Security | 3 | 26th March 2009 06:32 AM |
Firewall routing | Magoo | FreeBSD General | 9 | 4th November 2008 04:39 PM |
Double network card Dilemma | disappearedng | FreeBSD General | 6 | 1st September 2008 06:31 AM |
Routing and routing some more! | Weaseal | FreeBSD General | 1 | 19th August 2008 01:39 PM |
double posting? | ocicat | Feedback and Suggestions | 6 | 26th May 2008 12:34 AM |