W dniu 23.08.2011 08:36, Sara Khanchi pisze:
On Tue, Aug 23, 2011 at 10:20 AM, olli hauer<[email protected]> wrote:
On 2011-08-23 07:10, Sara Khanchi wrote:
On Sun, Aug 21, 2011 at 6:11 PM, olli hauer<[email protected]> wrote:
On 2011-08-21 09:48, h bagade wrote:
Hi all,
I am trying to use pf nat rules with pool support on FreeBsd 8.0,
working
together with ipfw as the main firewall. According to the natting
concepts i
faced in manuals and docs, nat concept is to map the source address to
the
natted address when sending the packets from that source and then map
the
destination address of the related reply packets.
but when I define pf nat rules with a pool of IP addresses not
available
on
the outside interface ip addresses, the outgoing traffic is natted to
one
of
the pool addresses but the response is not received via that interface
so
the pf can map the destination address to the real one. here is one of
my
configs i used during my tests:
*configurations:*
*pf.conf:*
nat on eth1 from { 11.11.11.0/24} to any ->
{172.16.10.1,172.16.10.2,172.
16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}
main system configurations:
eth0: 11.11.11.1
eth1: 172.16.10.64
system A: directly connected to eth0- 11.11.11.11
system B: directly connected to eth1- 172.16.10.65
in this configs the dafult route of system A and system B are the
middle
systems connected ip address.
as mentioned, when systemA pings systemB, the ping requests are natted
to
172.16.10.1 and received at systemB but systemB doesn't send icmp
replies
because it doesn't know to whom it should send the replies (no answer
to
system B 's ARP requests about who has the natted IP).
now my question is, isn't it the pf nat responsibilty to manage this
condition and send the ARP replies to SystemB?
or, are my configs wrong?
or i misunderstood the nat concepts?
any ideas or helps are really appreciated as i have to set this nat on
my
main system, asap.
Thanks in advance.
Nothing magic,
Professional Firefall products do offer mostly to create an automatic
proxy arp or do this without your notice.
The better way is to create a route on the upstream router, this way
you get all the traffic without silly arp broadcasts.
The following route on the peer should solve your problem
route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192
Defining route is not a proper way to handle this situation. I want to
setup
a nat router which every one works with it without need to adjust
additional
configurations on their system and works as the way cisco does.
what should be done exactly to simulate cisco? Is there any way to proxy
arp? Does ipfw support proxy arp?
Hi Sara,
ipfw even does not do proxy arp.
If I read your top right it looks like this
lan(11.11.11.0/24) --|switch|-- |(.??) gw (.65)| --|switch|--
upstream(172.16.10.x/xx)
Even with cisco as gw or router I place a static route to the upstream or
if can not control the upstream device to the switch between gw and
upstream.
I think last time I used proxy arp is now 10 years ago, reason I'm not
target for arp spoofing on this site of my equipment.
Think about the case where you route some public class C networks then arp
is really unproductive.
--
olli
The topology is like this:
lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|--
upstream(172.16.10.x/16)
nat pool address: 172.16.10.1-172.16.10.63
nat pool address is on the same network of upstream device.
May be I don't understand you well. in your first post you've mentioned that
I should define an static route on upstream device so it would send packets
destined for natted address to the gw. In this post you've talked about
defining static route on gw to the upstream? could you explain me more about
your suggestion of using static routes instead of proxy-arp solution?
however, in the above topology, there is no need to define a static route on
upstream device (they are on the same network) in normal condition so it
should be applicable when nat is used on gw, right? what's the solution
then?
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
I completely don't see the point of using arp-proxy at all. Can you
enlight me ? You need to connect two networks, also is there any point
of using nat also ? Instead of just to route traffic between them,
unless one of them is Internet or some MAN/WAN network.
As Olli mentioned, you need to add route if you don't want put nat
address on the interface. I don't know any ARP proxy software for
freebsd, because I've never used. So, ok, if Olli was that kind to clear
things out, seems to have better experience in that matters.
Btw. Sara, please, possibly use "Answer in list" instead of "Answer to
me with Cc to list" in your mail client :-) Or just send back to
[email protected]. Thanks.
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
