DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd May 2009
giagni giagni is offline
Real Name: Luca
freebsd n00b
 
Join Date: Sep 2008
Posts: 5
Default double nat routing

hi all

I'have got a networking issue that make me crazy...

Code:
+--------+
|--web --|
+--------+
    |
    |
88.99.100.0/26  (em1)
+--------+
|-gate1--|
+--------+
10.0.1.1  (em0)
    |
    |                    +---------+
    +---------10.0.1.5---|webserver|
    |                    +---------+
    |
10.0.1.20  (bce0)
+--------+
|-gate2--|
+--------+
192.168.4.1  (bce1)
    |
    |
192.168.4.2
+--------+
|client1-|
+--------+

In a network like that, where

gate1 nat on interface em1
gate2 nat on interface bce0
both are freebsd gateway machine with ipfw+natd


So... client1 can access on internet,
but cant access on my internal webserver

Is not a problem of ipfw rules. I'm sure.
I suppose the route to internal webserver can establish but cant'return to client1

any suggestions?
Thanks
Reply With Quote
  #2   (View Single Post)  
Old 22nd May 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

If NAT were not used on gate2 -- and it is probably not necessary -- you would have a standard dual firewall with a DMZ subnet (10.0.1). If so, you merely need to add routing table entries for the internal protected network (192.168) to gate1 and to your servers in the DMZ. e.g.:

# route add 192.168.4/24 10.0.1.20

Because you are using NAT in gate2, all packets originating on 192.168.4/24 are translated to 10.0.1.20. This eliminates the need to route to the 192.168 subnet from systems on the 10.0.1 DMZ. In theory. But without further diagnostics of the environment (ping, tcpdump, fw ruleset, etc.) there's no way to know the source of your configuration problem.
Reply With Quote
  #3   (View Single Post)  
Old 22nd May 2009
giagni giagni is offline
Real Name: Luca
freebsd n00b
 
Join Date: Sep 2008
Posts: 5
Default

Thanks

I have already tried your hint... an it's work well.
Traffic from 192.168.4/24 is routed by gate1 (10.0.1.1). It's work fine but I would try to find different solution, where traffic from two subnet are completely separate. It's just for a security doubt (I guess, double nat = double security ...or perhaps is it only my figment?).
I think is not a config problem, but a networking concept that I lack.


I would try to find a solution where traffic from 192.168.4/24 is traslated,
and clients from that subnet should access to web and to my internal webserver too.


Assuming that clients have not route for 192.168.4/24 net, I try to access webserver trough public ip.
(webserver have a public ip NATted (88.99.100.5) for make it accessible from web)
I can ping but not browsing... dont know wheres my mistake... but I going to think that I cant do it.





I post some tcpdump output
so from 192.168.4.29 to 88.99.100.5:80

tcpdump from gate2 (192.168.4.1) bce1:
15:55:56.724706 IP 192.168.4.29.1196 > 88.99.100.5.80: S 4234213476:4234213476(0) win 16384 <mss 1460,nop,nop,sackOK>
15:55:56.725162 IP 88.99.100.5.80 > 192.168.4.29.1196: R 0:0(0) ack 4234213477 win 0

traslated to gate2 (10.0.1.20) bce0:
16:05:08.531149 IP 10.0.1.20.1731 > 88.99.100.5.80: S 3351163259:3351163259(0) win 16384 <mss 1460,nop,nop,sackOK>
16:05:08.531381 IP 88.99.100.5.80 > 10.0.1.20.1731: R 0:0(0) ack 3351163260 win 0

go to gate1 (10.0.1.1) em0:
16:10:07.703668 10.0.1.20.1964 > 88.99.100.5.80: S 338450095:338450095(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
16:10:07.703676 88.99.100.5.80 > 10.0.1.20.1964: R 0:0(0) ack 1 win 0 (DF)

and here stop it's route... I suppose...

sorry for messy explanation...
Reply With Quote
  #4   (View Single Post)  
Old 22nd May 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

You need to do the NAT for the web server on the incoming interfaces of both firewalls (in relation to the web server).

IOW, you need a NAT rule on gate1 (em1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the Internet.

Then you need a NAT rule on gate2 (bce1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the local network.

Better still is to implement proper split DNS, such that DNS requests from the Internet resolve to the 88.99.100.x address, and DNS requests from the local network resolve to a 192.168.4.x address (which is an alias on gate2 with 1-1 NAT for the web server).
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 22nd May 2009
giagni giagni is offline
Real Name: Luca
freebsd n00b
 
Join Date: Sep 2008
Posts: 5
Default

Oh my gosh..... It's right!!!

Thankssssssssssss!

I was blind!
Reply With Quote
  #6   (View Single Post)  
Old 22nd May 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Alternatively, if these are located in the same building, you can consolidate the two gateX boxes into a single firewall with three NICs: 1 connected to the Internet, 1 connected to the DMZ, 1 connected to the local LAN. Then you just write all your rules on a single box. Just be sure to write very specific rules, including the interface and direction (in recv em0 not via em0, for example).
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipfw ruleset double check l2fl2f FreeBSD Security 3 26th March 2009 06:32 AM
Firewall routing Magoo FreeBSD General 9 4th November 2008 04:39 PM
Double network card Dilemma disappearedng FreeBSD General 6 1st September 2008 06:31 AM
Routing and routing some more! Weaseal FreeBSD General 1 19th August 2008 01:39 PM
double posting? ocicat Feedback and Suggestions 6 26th May 2008 12:34 AM


All times are GMT. The time now is 02:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick