We have a FreeBSD machine serving as a NAT gateway for a bunch of 
computers on a LAN connected to the 2nd network interface the FreeBSD 
machine. All this works very well using natd and IPDIVERT in the 

One of the machines on the inside LAN now needs to be accessable from 
the internet (which is the outside network interface of the FBSD 

Following the handbook and the natd man page, we added an ip alias for 
a 2nd public IP to the outside interface and added a rule to 
natd.conf to redirect packets coming in addressed to the new IP to 
the inside machine.  ( redirect_address privateIP publicIP ) using 
the new outside IP and the LAN IP of the machine we were trying to 
see on the LAN.. We set the netmask of the new alias to and the netmask of the "primary" IP to so there was no overlap in the netmasks.

To test the setup, we ran VNC server on the inside machine and 
connected from the 'net to the new public IP. We got connected, but 
there appears to be no video coming back from the inside machine. 
Mouse and keyboard are OK, anything coming back is not happening.

According to our reading of the docs, this "static NAT" is supposed to 
be symmetrical. It appears that it is not totally so. We had a 
similar experience trying to use "redirect_port" for another 
application running on a LAN machine. It almost worked. In that case, 
we recorded the inside machine trying to talk to a database server on 
the 'net with tcpdump and couldn't see where anything was being 
blocked, but it just didn't work. In that case, the same machine 
directly on a public IP would work just fine with the application.

By the way, if we made a connection using VNC's "-via" option to open 
a secure tunnel to the FreeBSD machine and than connect over the LAN 
without redirection, everything worked fine, so this doesn't seem to 
be a VNC problem.

If you fire up a web browser on the inside machine and connect to a 
web page that reports your IP, we get the 2nd IP of the FreeBSD 
machine's outside interface, which is as it should be.

Can anyone shed any light on why this doesn't work?


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to