We have a FreeBSD machine serving as a NAT gateway for a bunch of
computers on a LAN connected to the 2nd network interface the FreeBSD
machine. All this works very well using natd and IPDIVERT in the
One of the machines on the inside LAN now needs to be accessable from
the internet (which is the outside network interface of the FBSD
Following the handbook and the natd man page, we added an ip alias for
a 2nd public IP to the outside interface and added a rule to
natd.conf to redirect packets coming in addressed to the new IP to
the inside machine. ( redirect_address privateIP publicIP ) using
the new outside IP and the LAN IP of the machine we were trying to
see on the LAN.. We set the netmask of the new alias to
255.255.255.255 and the netmask of the "primary" IP to
255.255.255.128 so there was no overlap in the netmasks.
To test the setup, we ran VNC server on the inside machine and
connected from the 'net to the new public IP. We got connected, but
there appears to be no video coming back from the inside machine.
Mouse and keyboard are OK, anything coming back is not happening.
According to our reading of the docs, this "static NAT" is supposed to
be symmetrical. It appears that it is not totally so. We had a
similar experience trying to use "redirect_port" for another
application running on a LAN machine. It almost worked. In that case,
we recorded the inside machine trying to talk to a database server on
the 'net with tcpdump and couldn't see where anything was being
blocked, but it just didn't work. In that case, the same machine
directly on a public IP would work just fine with the application.
By the way, if we made a connection using VNC's "-via" option to open
a secure tunnel to the FreeBSD machine and than connect over the LAN
without redirection, everything worked fine, so this doesn't seem to
be a VNC problem.
If you fire up a web browser on the inside machine and connect to a
web page that reports your IP, we get the 2nd IP of the FreeBSD
machine's outside interface, which is as it should be.
Can anyone shed any light on why this doesn't work?
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"