Re: natd with several alias IPs
On 2/16/06, Chuck Swiger [EMAIL PROTECTED] wrote: Andrew Pantyukhin wrote: I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. See man natd about the following options for 1-to-1 NAT translation, which can be put into /etc/natd.conf and processed automagicly when the machine boots: -redirect_address localIP publicIP That's one trick. Do you use it in production? How many hosts do you have mapped this way? How do you get incoming traffic translated to the address it is meant for, not the last address? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
That`s how i do it with PF!!!
Freebsd
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
# Rule 2 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
#
# Rule 3 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
#
# Rule 4 (NAT)
#
#
nat on ed0 proto {tcp udp icmp} from 10.10.xx.xx to any - 172.16.xx.xx
--
Where ed0 is the interface with the alias..
As performace i can say that`s its scalling very well. Because of the nature
of PF and the options you can set(to be more aggressive or not ) i don`t
have problems with overheat.
On 2/16/06, Andrew Pantyukhin [EMAIL PROTECTED] wrote:
On 2/16/06, Chuck Swiger [EMAIL PROTECTED] wrote:
Andrew Pantyukhin wrote:
I wonder, what tricks do you use to use more than
one alias IP? I mean, if you have hundreds of
hosts behind your firewall, what can you do to alias
some of them to one ip, others to another and so on.
See man natd about the following options for 1-to-1 NAT translation,
which can
be put into /etc/natd.conf and processed automagicly when the machine
boots:
-redirect_address localIP publicIP
That's one trick. Do you use it in production? How many
hosts do you have mapped this way? How do you get
incoming traffic translated to the address it is meant
for, not the last address?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
natd with several alias IPs
I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. I know pf can probably do it in a better fashion, I just wonder how we can do it with natd. Several natd processes? Some other tricks? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd with several alias IPs
I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Pantyukhin Sent: Wednesday, February 15, 2006 3:45 PM To: FreeBSD Questions Subject: natd with several alias IPs I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. I know pf can probably do it in a better fashion, I just wonder how we can do it with natd. Several natd processes? Some other tricks? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
On 2/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. I'm quite aware of the fact that both pf and ipf have mature nat frameworks. The question is, how to do that with natd (and ipfw). Could you be so kind and throw an example of a round-robin setup without several natd processes, 'cuz I can hardly imagine that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd with several alias IPs
I am not a ipfw expert. The truth of it is I was a ipfw user before I added a LAN behind my gateway box. Ipfw does it's nating from within ipfw and that it what makes ipfw nating so hard to get right. It's even harder if you use keep state processing. Ipfilter and PF do the nating separate from the firewall so the firewall always sees the true LAN packets. For that reason I now use ipfilter. Your ipfw question may get better answers from the ipfw questions list. In reading your original post it was not clear to me that you had to do this using ipfw. I read it as you were asking if it could be done at all. Using alias ip's is not the correct term I believe. Good luck finding a ipfw solution. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Pantyukhin Sent: Wednesday, February 15, 2006 7:16 PM To: [EMAIL PROTECTED] Cc: FreeBSD Questions Subject: Re: natd with several alias IPs On 2/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am not sure just what you are asking about. Are you saying that you have 4 static public ip address assigned to you by your ISP and you want to round robin those 4 in the NATing process to your hundreds of LAN users? If that's what you are after then any of FreeBSD's 3 built in firewall can do that by how you code the NAT statements. Read the handbook firewall ipfilter section for details. There is no special tricks or need for several NATed process. I'm quite aware of the fact that both pf and ipf have mature nat frameworks. The question is, how to do that with natd (and ipfw). Could you be so kind and throw an example of a round-robin setup without several natd processes, 'cuz I can hardly imagine that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
On 2/16/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am not a ipfw expert. The truth of it is I was a ipfw user before I added a LAN behind my gateway box. Ipfw does it's nating from within ipfw and that it what makes ipfw nating so hard to get right. It's even harder if you use keep state processing. Ipfilter and PF do the nating separate from the firewall so the firewall always sees the true LAN packets. For that reason I now use ipfilter. Your ipfw question may get better answers from the ipfw questions list. In reading your original post it was not clear to me that you had to do this using ipfw. I read it as you were asking if it could be done at all. Using alias ip's is not the correct term I believe. Good luck finding a ipfw solution. I'm afraid you've got it all a little bit wrong. It's pf and ipf that have built-in nat facilites. ipfw uses divert sockets and an external natd process (so when one says natd, it's clear that he's dealing with ipfw). Alias ip is a natd term. Thanks anyway ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd with several alias IPs
Andrew Pantyukhin wrote: I wonder, what tricks do you use to use more than one alias IP? I mean, if you have hundreds of hosts behind your firewall, what can you do to alias some of them to one ip, others to another and so on. See man natd about the following options for 1-to-1 NAT translation, which can be put into /etc/natd.conf and processed automagicly when the machine boots: -redirect_address localIP publicIP Redirect traffic for public IP address to a machine on the local network. This function is known as static NAT. Nor- mally static NAT is useful if your ISP has allocated a small block of IP addresses to you, but it can even be used in the case of single address: redirect_address 10.0.0.8 0.0.0.0 The above command would redirect all incoming traffic to machine 10.0.0.8. If several address aliases specify the same public address as follows redirect_address 192.168.0.2 public_addr redirect_address 192.168.0.3 public_addr redirect_address 192.168.0.4 public_addr the incoming traffic will be directed to the last translated local address (192.168.0.4), but outgoing traffic from the first two addresses will still be aliased to appear from the specified public_addr. -redirect_address localIP[,localIP[,...]] publicIP These forms of -redirect_port and -redirect_address are used to transparently offload network load on a single server and distribute the load across a pool of servers. This function is known as LSNAT (RFC 2391). For example, the argument tcp www1:http,www2:http,www3:http www:http means that incoming HTTP requests for host www will be trans- parently redirected to one of the www1, www2 or www3, where a host is selected simply on a round-robin basis, without regard to load on the net. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
