Three NICs and NAT (routing?) issue

nov1ce

New Member


Messages: 6

Three NICs and NAT (routing?) issue

Hi list-

I'm running FreeBSD 7.0-STABLE with three network interfaces compiled with IP Filter support (v4.1.28 (404)).

The first interface is tl0 (192.168.0.35 / 255.255.255.240), the second one is fxp0 (192.168.0.50 / 255.255.255.240) and the third one is fxp1 (10.0.10.1 / 255.255.255.0).

I would like to NAT 10.0.10 network through fxp0 interface and for some reason it doesn't work -- users are not able to pass through fxp0. Actually I don't see NAT working on fxp0 interface at all. If I do NAT through tl0 it works OK, but not with fxp0. I'm able however to ping all three interfaces from 10.0.10 network.

Here is more detailed information about my setup:

%dmesg | grep tl0
tl0: <Compaq Netelligent 10/100 Proliant> port 0x2c40-0x2c4f mem 0xc6cfccf0-0xc6cfccff irq 10 at device 7.0 on pci0
miibus0: <MII bus> on tl0
tl0: Ethernet address: 00:50:8b:50:f2:0e

%dmesg | grep fxp
fxp0: <Intel 82558 Pro/100 Ethernet> port 0x3000-0x301f mem 0xb7fff000-0xb7ffffff,0xc6e00000-0xc6efffff irq 15 at device 7.0 on pci1
fxp0: Ethernet address: 00:50:8b:6d:17:3d

fxp1: <Intel 82558 Pro/100 Ethernet> port 0x2c00-0x2c1f mem 0xb5fff000-0xb5ffffff,0xc6d00000-0xc6dfffff irq 11 at device 13.0 on pci0
fxp1: Ethernet address: 00:50:8b:01:24:bc

%cat /etc/rc.conf
defaultrouter="192.168.0.33"
ifconfig_tl0="inet 192.168.0.35 netmask 255.255.255.240"
ifconfig_fxp0="inet 192.168.0.50 netmask 255.255.255.240"
ifconfig_fxp1="inet 10.0.14.1 netmask 255.255.255.0"
gateway_enable="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"

%cat /etc/ipnat.conf
map fxp0 10.0.14.0/24 -> 0/32 portmap tcp/udp 30000:60000
map fxp0 10.0.14.0/24 -> 0/32

%netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.33 UGS 0 649736 tl0
10.0.14.0/24 link#3 UC 0 0 fxp1
192.168.0.32/28 link#1 UC 0 0 tl0
192.168.0.33 00:09:7c:61:93:30 UHLW 2 18057 tl0 1170
192.168.0.35 00:50:8b:50:f2:0e UHLW 1 564 lo0
192.168.0.48 ff:ff:ff:ff:ff:ff UHLWb 1 2 fxp0 =>
192.168.0.48/28 link#2 UC 0 0 fxp0
127.0.0.1 127.0.0.1 UH 0 31556 lo0

IP Filter is configured to allow all outgoing traffic for all three interfaces.

Does it look like a routing issue?

Any tips would be greatly appreciated!

Many thanks!
 
OP
OP
N

nov1ce

New Member


Messages: 6

Yes, ip forwarding is there:

%sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1

The strange thing is that if I enable NAT on tl0 it works as it should.

I haven't tried NAT using PF though yet.
 
OP
OP
N

nov1ce

New Member


Messages: 6

Thank you guys! The issue was solved by implementing policy routing with IP Filter. However, my initial question is still valid. Assuming I don't use any firewall. How would one route NATed traffic through the secondary interface while default gateway is from the same subnet where primary interface belongs to?

Thanks!
 

ethoms

Member

Reaction score: 7
Messages: 98

I also wish to divert my LAN traffic via another NIC/Public IP address, whilst keeping the server traffic on 1st and default NIC. I am using ipfilter to NAT the LAN to public IP. When I change the NIC from 1st to 2nd public facing interface no traffic gets through. I guess this is because it wants to use the default route. I thought I had to use route commands (routing) to solve my problem but your solution using ipfilter policy routing is now my default route (lol). Thanks for the direction. I also am curious how to achieve this with routing. Is there a way to NAT with routing as well?
 

ethoms

Member

Reaction score: 7
Messages: 98

How to direct NATed LAN to secondary public IP?

Forgot to ask in my last post; how did you manage to get it to work using ipfilter. Is it possible you could copy & paste you ipnat.conf and ipf.conf (ipf.rules) contents, just the relevent lines. Thanks in advance.
 
Top