[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing to servers via NAT box

To: Miscellaneous OBSD <misc@openbsd.org>
Subject: Re: Routing to servers via NAT box
From: Hugo Villeneuve <harpagon@jwales.EINTR.net>
Date: Tue, 3 Sep 2002 16:38:41 -0400
Content-Disposition: inline
References: <200209031403.1234559.6@mail.witworx.com> <20020903004934.A25179@jwales.EINTR.net> <20020903115441.G28078@snew.com>
User-Agent: Mutt/1.2.5.1i

On Tue, Sep 03, 2002 at 11:54:41AM -0700, Chuck Yerkes wrote:
> Quoting Hugo Villeneuve (harpagon@jwales.EINTR.net):
> > On Tue, Sep 03, 2002 at 02:03:10PM +1000, Rod... Whitworth wrote:
[...]
> > > 
> > > >From the box I can ping .209 (of course!) and a test server at .211
> > > >From across the internet I cannot ping either of those.
> > > 
> > > Running tcpdump on fxp0 shows that something is getting to the box:
> > > 18:51:35.145380 arp who-has 203.x.y.211 tell 10.0.0.138
> > > (10.0.0.138 is the ADSL modem)
> > 
> > If you want to use OpenBSD to firewall your machines, you'll need
> > to go with an bridge setup. But then, you would have to move 192.../24
> > on another PC.
> 
> No, you don't need a bridge.
> 
> I allow certain ports through my (3 legged) firewall.  A chunk
> of pf.conf is below:
> 
> ----------------------------------------------------------------------
> if_inet=sis1
> if_in=sis0
> InsideIP=" 220.00.00.0/24"
> scrub in all
> nat on $if_inet from 220.00.00.0/24 to any -> $PUBLIC_ADDR
> rdr on $if_inet proto tcp from any to any port 8001 -> 220.00.00.21 port 80
> rdr on $if_inet proto tcp from any to any port 8002 -> 220.00.00.25 port 80
> rdr on $if_inet proto tcp from any to any port 8003 -> 220.00.00.31 port 80
> ----------------------------------------------------------------------

YOU ARE NATING AN PUBLIC CLASS C !!??!!!

Men, you must be rich throwing your money out of your windows like this.

Class C doesn't grows on trees. My ISP charges over 100$ a month
for one. I wouldn't just NAT it so it becomes unused and useless.
I would just not ask for it, use a private network range and save
a bundle.

> 
> 
> If packets go OUT ($in_inet), they get natted to the public address.
> Packets coming IN on port 8001 get send to ... 21 on port 80.  8002 -> '25/80.
> Etc.
> 
> If you are ROUTING, then your ADSL "router" need to know to send
> packets for 203.x.y.208/29 to your OpenBSD box.

With proper routing entries on your ISP side, they just need to
know the next hop. They wouldn't need to "arp who-has" the individual
IPs, just the gateway one. That's why I said his ADLS router needed
to be connected directly with an hub to his public computer without
going through a gateway.

[...]
> Worst case, be a bridge.  But smack your ISP anyhow.

I agree on calling the ISP.

-- 
Hugo Villeneuve <hugo@EINTR.net>
http://EINTR.net/

Follow-Ups:
- Re: Routing to servers via NAT box
  - From: "Rod... Whitworth" <listener@witworx.com>

References:
- Routing to servers via NAT box
  - From: "Rod... Whitworth" <listener@witworx.com>
- Re: Routing to servers via NAT box
  - From: Hugo Villeneuve <harpagon@jwales.EINTR.net>
- Re: Routing to servers via NAT box
  - From: Chuck Yerkes <chuck+obsd@snew.com>

Prev by Date: Re: pf configuration
Next by Date: Re: cd recording stuff
Prev by thread: Re: Routing to servers via NAT box
Next by thread: Re: Routing to servers via NAT box
Index(es):
- Date
- Thread