[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing to servers via NAT box

To: "Rod... Whitworth" <listener@witworx.com>
Subject: Re: Routing to servers via NAT box
From: Hugo Villeneuve <harpagon@jwales.EINTR.net>
Date: Tue, 3 Sep 2002 00:49:34 -0400
Cc: Miscellaneous OBSD <misc@openbsd.org>
Content-Disposition: inline
References: <200209031403.1234559.6@mail.witworx.com>
User-Agent: Mutt/1.2.5.1i

On Tue, Sep 03, 2002 at 02:03:10PM +1000, Rod... Whitworth wrote:
> I think I have looked at this for too long and my brain is fried.
> 
> I have a box (old P166) running the July 1 snapshot. It has been
> running doing NAT for a small LAN to an ADSL connection. Works fine.
> 
> Only line in pf.conf at present is:
> nat on fxp0 from 192.168.1.0/24 to any -> fxp0
> 
> fxp0 is connection to ADSL
> 
> fxp1 is the LAN (192.168.1.0/24 bound address is .254)
> 
> Now for the problem:
> fxp2 is the NIC for the servers. It is configured as 203.x.y.209 for a
> routed subnet 203.x.y.208/29)
> 
> >From the box I can ping .209 (of course!) and a test server at .211
> >From across the internet I cannot ping either of those.
> 
> Running tcpdump on fxp0 shows that something is getting to the box:
> 18:51:35.145380 arp who-has 203.x.y.211 tell 10.0.0.138
> (10.0.0.138 is the ADSL modem)

If your ISP is asking that it's because they gave you a setup where
you plug all your computer + your ADSL modem into a hub and it
works without a gateway.

If you want to use OpenBSD to firewall your machines, you'll need
to go with an bridge setup. But then, you would have to move 192.../24
on another PC.

My ISP too gave me this setup for clueless Windows shop. I had to
call them to change my setup to a subnet routed to a gateway on
my side of the ADSL link.

You should ask too. OpenBSD bridge are nice, but if you can live
without it will make your life simpler.

> 
> The IPv4 part of the routing table looks like:
> Internet:
> Destination      Gateway            Flags
> default          165.a.b.1        UG
> 10.0.0.0         link#1             U
> 10.0.0.1         0:2:b3:8b:e2:21    UH
> SpeedTouch.inhou 0:90:d0:3:8f:5f    UH
> 127.0.0.0        SpeedTouch.inhouse UG
> SpeedTouch.inhou SpeedTouch.inhouse UH
> 165.a.0.0      link#1             U
> 165.a.b.1      0:90:d0:3:8f:5f    UH
> 165.a.c.2     SpeedTouch.inhouse UGH
> 192.168.1.0      link#2             U
> 203.x.y.208   link#3             U
> stooges.inhouse. SpeedTouch.inhouse UGH
> 224.0.0.0        SpeedTouch.inhouse U
> 
> Anybody care to wake me up?
> 
> Also what do I need to do to let the 192.168 LAN get to those servers
> without NAT?
> (I haven't got to that yet but I'm sure there will be a rule needed?)

nat on fxp2 from 192.168.1.0/24 to any -> fxp2


> 
> TIA
> Rod.
> 
> 
> 
> 
> 
> >From the land "down under": Australia.
> Do we look <umop apisdn> from up over?

-- 
Hugo Villeneuve <hugo@EINTR.net>
http://EINTR.net/

Follow-Ups:
- Re: Routing to servers via NAT box
  - From: Chuck Yerkes <chuck+obsd@snew.com>

References:
- Routing to servers via NAT box
  - From: "Rod... Whitworth" <listener@witworx.com>

Prev by Date: Routing to servers via NAT box
Next by Date: Re: Just how the heck do you answer this???
Prev by thread: Routing to servers via NAT box
Next by thread: Re: Routing to servers via NAT box
Index(es):
- Date
- Thread