Hanns Hartman wrote:
Hi All, I have read through a lot of the mailing list archives and have had no success with the following problem. I have a box that is functioning as a captive portal. aka think free wifi login at starbucks or the like. I have two interfaces fxp0 and fxp1 that point to two different networks that have staticly assigned ipaddrs. and a third fxp2 which is the internal network. (BTW I am running freebsd 4.11 on this box.) I have two instances of natd running on the box one assigned to each of the two external interfaces with options -snup enabled and each instance has its own port number. So the problem is that when I try to send traffic via an ipfw divert rule out one of the interfaces and I look at an ethereal trace on the box of the webserver that is the destination I am trying to get to, the source ip address is not nat'd to the interface's ip address that points to that network. so when the destination box tries to send a responce it doesn't know where to send the packets since its trying to send them to an ip on the internal network. Do any of you have any idea why the source address of the initial [SYN] would be the internal network and not the ip address of the interface that is on that network. I enabled loging on natd and I think its working because whenever I try to connect to the website I see the natd stats in the log file increase in number. thanks in advance for the help HannsKERNEL_CONFIG ... options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options IPFW2 IPFW_rules /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in /sbin/ipfw add 600 set 2 allow ip from any to any in natd starting /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
You have to have two rules for natd as folows: (from <http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html>) natd_enable="YES" # Enable NATD function natd_interface="rl0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible pif="rl0" # public interface name of NIC # facing the public Internet 1. $cmd 500 divert natd ip from any to any out via $pif 2. $cmd 100 divert natd ip from any to any in via $pif The 1st rule triger when package go OUT via $pif and natd store informatio of package and change source ip from original to $pif. The 2nd rule triger when package get IN via $pif and natd chech informarion from package and if have stored information that he was change source ip he change source ip from $pif to original. You have to have one set rules for natd and another set rules for natd2. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
