PDA

View Full Version : [Solved] NAT with one interface

cybercoder
May 27th, 2010, 08:47
I searched the forum deeply but didn't find anything useful

i need to use NAT on 1 interface.


ipfw add 10 divert natd ip from 192.168.140.0/24 to $valid_IP


but it doesn't work!
( kernel compiled correctly and rc.conf is configured )

how can i see NAT table or test NAT?
SirDice
May 27th, 2010, 09:18
You can't bounce a connection off of the same interface.
cybercoder
May 27th, 2010, 09:57
You can't bounce a connection off of the same interface.

But i did it on same interface with IPTABLES before, more than 10000000 time!
can't ipfw do it really ?
DutchDaemon
May 27th, 2010, 13:30
I think it's possible to NAT on a single interface with the public IP as the primary address and the private IP as an alias, no? Don't use ipfw though. I think pf uses something like:

nat on $ext_if from ! $ext_if:0 to any -> $ext_if:0
cybercoder
May 27th, 2010, 13:33
I think it's possible to NAT on a single interface with the public IP as the primary address and the private IP as an alias, no? Don't use ipfw though

is purpose of those sentences, i should use NATD directly ?
DutchDaemon
May 27th, 2010, 14:51
Maybe experiment with -alias_address instead of -interface (see natd). If you specify the public IP address instead of the interface name you may be able to have RFC1918 addresses on that interface translated to the public IP address. Not tested, as I don't use IPFW. I'm sure someone on here will be able to confirm/deny.
sixtydoses
May 27th, 2010, 15:56
I used to configure NAT on a single interface but nothing fancy with my ipfw. Kernel compiled with options 'IPFIREWALL' and 'IPDIVERT'.

My natd service runs against tun0.
natd -interface tun0

And with IP forwarding enabled:
net.inet.ip.forwarding: 1

The rest in my /etc/rc.conf (I think..):
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="tun0"
natd_flags="
cybercoder
May 27th, 2010, 20:02
I think i should return to use Fedora or Ubuntu !
SirDice
May 27th, 2010, 20:42
What I meant by not being able to bounce off of the same interface is that you cannot redirect an incoming packet back out the same interface. As long as you stay on the same machine it shouldn't be a problem. You can NAT to lo1 i.e. But to be honest I really don't see the point of it.

Perhaps you can elaborate on what you're trying to archive? There may be far simpler solutions.
cybercoder
May 28th, 2010, 09:45
there's only one solutions and i should NAT (overload) a range of invalid ip addresses to a valid ip address,
i'll go to use fedora core!
SirDice
May 28th, 2010, 09:55
there's only one solutions
There are always multiple solutions.

i'll go to use fedora core!
kthxby
DutchDaemon
May 28th, 2010, 12:42
Waste of time. Closed.