Dynamic NAT from pool on FreeBSD

hucker91

Member


Messages: 22

Good day,

I have a FreeBSD 8.1 server installed and connected to network. (See topology screenshot).

6163


I need to masquarade the PC ip 192.168.1.2 on FreeBSD to 1.1.1.3, not to 1.1.1.2. On router the the source traffic must been from 1.1.1.3, not from 1.1.1.2. Is it possible?

I tried with assigning secondary ip 1.1.1.3 with alias on rc.conf, it didnt worked.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,751
Messages: 30,832

Why don't you simply change the IP address?
 
OP
OP
H

hucker91

Member


Messages: 22

Because, all client PCs reach the router through 1.1.1.2. And now i need to limit some client IPs on Router and it is necessary to divide them on freebsd by mapping them to 1.1.1.3. After i can limit only 1.1.1.3 on Router.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,751
Messages: 30,832

Because, all client PCs reach the router through 1.1.1.2.
No, they go out through 192.168.1.1.
And now i need to limit some client IPs on Router and it is necessary to divide them on freebsd by mapping them to 1.1.1.3.
Do the filtering on the FreeBSD machine, not the router.
 
OP
OP
H

hucker91

Member


Messages: 22

On FreeBSD they are masquerate to 1.1.1.2 on outside interface at moment. But some of clients i need to NAT to other IP from 1.1.1.0/24 Subnet (fro example, to 1.1.1.3).
Traffic is masquerading on both router (FreeBSD and Router).

The purpose is to masquerade on FreeBSD some of clients to 1.1.1.2, which is the interface IP, and some other clients i want to masquerade to 1.1.1.3 which one is not seted on interface as ip.

I assigned 1.1.1.3 as alias on freebsd interface, but i cant masquerade clients to this ip address.

Default rules:

LanOut="vr1"
LanOutIP="1.1.1.2"
NetIn="192.168.1.0"
NetMask="24"

${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetVpn}/${NetMask} to any out via ${LanOut}
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,751
Messages: 30,832

Your solution is faulty from the start.
 
OP
OP
H

hucker91

Member


Messages: 22

Where is the faulty? This scheme is working, i need only some secrets of NAT on FreeBSD. If it was Cisco ASA, problem would solve myself.
Link to do it on Cisco ASA:
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

put the 1.1.1.3 as secondary ip address on your FreeBSD and then use 1:1 NAT
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

when you put it as alias (ifconfig em0 inet 1.1.1.3/24 alias) do you have ping from the router to 1.1.1.3/24?
 
OP
OP
H

hucker91

Member


Messages: 22

Yes, ping is going...
I add this rule on the top of default nat rule.
${FwCMD} add divert natd ip from 192.168.1.2 to any out via 1.1.1.3

The above rule is not working.

The traffic goes through the default nat rule:

${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetVpn}/${NetMask} to any out via ${LanOut}
 

ezraimanuel

New Member

Reaction score: 1
Messages: 13

I'm sorry for not replying for ipfw. But in PF you can do something like this:
Code:
nat on $LanOut inet from 192.1681.2 to any -> 1.1.1.3
nat on $LanOut inet from $RestOfYourNetwork to any -> 1.1.1.2
I always do this to seperate outgoing public IP addresses for multiple local IPs and/or LANs, works like a charm.
 
Top