Multiple NATD Interface + IPFW

fuhdan

Member


Messages: 39

Hi
I have a FreeBSD box with 4 interfaces. I need on 2 interfaces NAT. So I added the following config to the /etc/rc.conf
Code:
gateway_enable="YES"
router_enable="YES"
natd_enable="YES"
natd_flags="-f /etc/natd_public.conf"
natd2_enable="YES"
natd2_flags="-f /etc/natd_mvc.conf"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
The /etc/natd_public.conf contains:
Code:
port 8668
interface em0
same_ports yes
dynamic yes
The /etc/natd_mvc.conf contains:
Code:
port 8669
interface em3
same_ports yes
dynamic yes
I created a copy of the /etc/rc.d/natd and called it /etc/rc.d/natd2. I adjusted everything, so it works. But it doesn't start at boot time. I have to start it manually. I tried to move the script from /etc/rc.d/natd2 to /usr/local/etc/rc.d/natd2. But it doesn't start at boot time. But after the boot I can start it without any issue.
What do I have to do, that the second instance of natd starts at boot time?

My second question is: Does that ipfw config work?
/etc/ipfw.rules
Code:
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 900"
sk="setup keep-state"
ks="keep-state"

# Interfaces
pub="em0"
lan="em1"
ipl="em2"
mvc="em3"

....

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 0010 allow all from any to any via lo0

...

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 0014 divert natd ip from any to any in via $pub
$cmd 0015 divert natd2 ip from any to any in via $mvc

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 0016 check-state

...
# Allow ssh connection to ios devices
$cmd 200 $skip tcp from xxx.xxx.xxx.xxx to any ssh out via $mvc $sk

# Reject & Log all unauthorized outging connections to the LAN
$cmd 0299 deny log all from any to any out via $mvc

...

# Allow DNS forward
$cmd 0300 $skip tcp from xxx.xxx.xxx.xxx to 8.8.8.8, 8.8.4.4 domain in via $lan $sk
$cmd 0301 $skip udp from xxx.xxx.xxx.xxx to 8.8.8.8, 8.8.4.4 domain in via $lan $ks

...

#################################################################
# Make NAT and allow through
#################################################################
# This is skipto location for outbound stateful rules
$cmd 0900 divert natd ip from any to any out via $pub
$cmd 0901 divert natd2 ip from any to any out via $mvc
$cmd 0902 allow ip from any to any

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 0999 deny log all from any to any
################ End of IPFW rules file ###############################
So all traffic going out through the em0 interface should be NATed to the em0 IP address and all traffic going out through the em3 interface should be NATed to the em3 IP address.

I added the natd2 service to the /etc/services file:
Code:
natd            8668/divert # Network Address Translation
natd2           8669/divert # Network Address Translation
Thanks for your help.

Cheers Daniel
 

CosmicB

New Member


Messages: 4

The copy you made of /etc/rc.d/natd, did you edit the rcvar variable? The original natd has
Code:
rcvar="natd_enable"
and to have your natd2 copy start at boot you'd have to change that one to
Code:
rcvar="natd2_enable"
 

RusDyr

Member

Reaction score: 15
Messages: 90

Is it critical use ipfw and user-space natd? I'd recommend using pf instead, it's running in kernel space and easier for NAT setup. My simplified configuration:
/etc/pf.conf
Code:
ext_if="lagg0"
int_if_1="vlan11"
int_if_2="vlan12"

dst_nat1="109.71.177.0/25"
dst_nat2="109.71.177.128/25"

table <src-nat> persist file "/etc/pf.src-nat"
set block-policy drop
set skip on lo0

# Tagging
pass in quick on $int_if_1 all allow-opts tag NAT1 label "$nr:NAT1" no state
pass in quick on $int_if_2 all allow-opts tag NAT2 label "$nr:NAT2" no state

nat on $ext_if from <src-nat> to any tagged NAT1 -> $dst_nat1 static-port source-hash #sticky-address
nat on $ext_if from <src-nat> to any tagged NAT2 -> $dst_nat2 static-port source-hash #sticky-address
 
Top