[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPNAT rdr from inside to static IPs?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: IPNAT rdr from inside to static IPs?
From: djr_(_at_)_newcoast_(_dot_)_com (Daniel Rubin)
Date: Sat, 04 Aug 2001 15:27:40 -0400
Cc: Rémi Guyomarch <rguyom_(_at_)_pobox_(_dot_)_com>
Organization: Newcoast Communications, Inc.

Remi,

in hostname de0 you specify the netmask and that is why I included the /.29 below.
Are you saying I should have entries like this in my hostname.de0 file:

inet alias 1.2.3.27 255.255.255.255 NONE

The .25 address on tun0 is my static IP end of the PPP dial-up link.  That is why it
is on tun0.  The de0 NIC supports all of my static (internet valid) IP addresses even
when the PPP link is not up.  The ISP routes all my static IP addresses to "my router"
at .25.  So you are saying to take .25 off of de0?

I'll try adding rdr de2 1.2.3.27/32 port 80 -> 10.0.1.10 port 10000 tcp to ipnat.rules
and see if that works, with the above changes also.  Yes there was a typo in my post
it should have been .27 not .26

- Dan


Rémi Guyomarch wrote:

> On Fri, Aug 03, 2001 at 02:45:22AM -0400, Daniel Rubin wrote:
> > I posted this to the newsgroup comp.unix.bsd.openbsd.misc but got nothing.  I am
> > not sure how the group and the list are related so I thought I would try it here
> > also:
> >
> > My problem is that I have a 3-legged DMZ with the following interfaces on the
> > OpenBSD firewall:
> >
> > tun0: 1.2.3.25/29 ppp link (static IP of my router)
> > de0: 1.2.3.25/29 (inet aliases: .26/29, .27/29, .28/29, .29/29,.30/29)
>
> The aliases should be .26/32, .27/32, .28/32 etc ...
>                           ^^      ^^      ^^
> And beside this, it certainly would be better to use static arp
> entries. Read arp(8). Even better, instruct your router to route the
> whole /29 subnet to your firewall so you don't have to play with
> aliases or arp entries at all.
> If you use aliases be sure to firewall *all* aliases just like your
> main external IP.
>
> Also, it seems really strange to me that you have the same IP and
> netmask on tun0 and de0. If you use PPPoE or PPTP you either don't
> need an IP on de0 at all or you need a RFC1918 IP.
>
> > de1: 10.0.1.1/8 private dmz network
> > de2: 192.168.1.1/16 private internal network
> >
> > I have a web server at 10.0.1.10 running on port 10000 with the purpose to serve
> > www.mydomain.com (In DNS www.mydomain.com = 1.2.3.27)
> >
> > I have the following related lines in my ipnat.rules file:
> >
> > map tun0 10.0.1.0/24 -> 1.2.3.26/32 portmap tcp/udp 10000:20000
> > map tun0 10.0.1.0/24 -> 1.2.3.26
> > rdr tun0 1.2.3.27/32 port 80 -> 10.0.1.10 port 10000 tcp
>
> Add "rdr de2 1.2.3.27/32 port 80 -> 10.0.1.10 port 10000 tcp"
>                    ^^
> (you said in your DNS www.mydomain.com = .27, not .26)
>
> And check you firewall rules. Log everything.
>
> --
> Rémi

Follow-Ups:
- Re: IPNAT rdr from inside to static IPs?
  - From: Rémi Guyomarch

References:
- Re: IPNAT rdr from inside to static IPs?
  - From: Rémi Guyomarch

Prev by Date: Re: NAT Oddities w/new system
Next by Date: Re: Tape drive (IDE)
Previous by thread: Re: IPNAT rdr from inside to static IPs?
Next by thread: Re: IPNAT rdr from inside to static IPs?
Index(es):
- Date
- Thread

Visit your host, monkey.org