# natd handling subnets



## alandgates (May 25, 2013)

[I apologize in advance if this has been covered but a search did not return anything.

I have a freebsd FreeBSD box set up as a gateway.  The internal IP address is 10.0.0.1.  natd appears to work properly for any clients on the 10.0.0.0/24 network.  I also have two additional subnets 10.0.1.0/24 and 10.0.2.0/24.  My routes seem to work properly because I can successfully ping 10.0.0.1 from either subnet but I cannot seem to get out to the Internet from those subnets.  Any ideas on what could be causing this?  I see nothing in the message log to tip it off.  Permissions? natd configuration?  Any help is appreciated.

Thanks in advance!
Alan


----------



## ShelLuser (May 26, 2013)

alandgates said:
			
		

> [I apologize in advance if this has been covered but a search did not return anything.


Well, without sharing what you searched for that doesn't tell us that much 

Not trying to put words in your mouth, just cutting up the relevant parts here for clarity. If you think I missed anything or you think I misquoted you in any way do not hesitate to share. It's not my intention to offend here.



> internal IP address is 10.0.0.1.
> two additional subnets 10.0.1.0/24 and 10.0.2.0/24.
> My routes seem to work properly because I can successfully ping 10.0.0.1 from either subnet but I cannot seem to get out to the Internet from those subnets.


Being able to ping 10.0.0.1 is not proof that your routing table is correct. That is; it allows you to reach 10.0.0.1 but it should _also_ allow you to reach the rest.

My suggestion is to share the routing table of any host sitting on either of the two other subnets. Or, even better, try using (for example) `$ traceroute google.com` and check what routes it's taking and where it's stalling.

From my location it is normal to see a blank appear between 216.239.49.30 and 74.125.136.113 but since both of them sit on the Google network it's not something to worry about.

My theory so far; while the current routing table may tell your hosts how to reach 10.0.0.1 this doesn't necessarily tell them how to reach the rest of the world. Or put in normal words: where is the default route on those hosts pointing to?

Other possible causes I can some up with are a firewall misconfiguration or the possibly more obvious natd misconfiguration. But since you're not giving us much to work with this is all guessing on my part.


----------



## alandgates (May 26, 2013)

Thank you for your quick reply. I apologize for not providing enough info. Let me supplement it:
- a client at 10.0.0.100 can browse the web and do everything it wants
- a client at 10.0.1.140 can't get beyond the 10.0.0.1 router. 

*W*hen *I* do a traceroute to http://www.google.com from 10.0.1.140 it translates the name properly (presumably because my name servers are 10.0.0.2 and 10.0.0.3) but the trace cannot go past 10.0.0.1. *T*he same traceroute from 10.0.0.100 works perfectly.

*I*f you need more info, I will be glad to post it. In the natd configuration, do you have to authorize more than the 10.0.0.0/24 network? *T*he firewall is wide open (type="OPEN"). 

Thanks!


----------



## kpa (May 26, 2013)

NAT is not really an authorization but a mechanism to hide non-routable addresses behind a public routable IP address. Yes, you'll have to enable NAT for the other subnets as well.


----------



## alandgates (May 26, 2013)

This is my first time using natd on FreeBSD so please forgive the question: So are you saying that I cannot use natd on 10.0.0.1 to NAT the 10.0.0.0, 10.0.1.0 and 10.0.2.0 networks?  There are routers at 10.0.1.1 and 10.0.2.1 to route the traffic from those networks to 10.0.0.0 network.  The vision was to NAT at 10.0.0.1 (the edge router) for the entire network.


----------



## kpa (May 26, 2013)

What I mean is that you have to configure the NAT also for the 10.0.1.0/24 and 10.0.2.0/24 networks, now the NAT is applied only to traffic from 10.0.0.0/24 network.


----------



## alandgates (May 26, 2013)

*A*h. *T*hat explains it. *I* will research the natd.conf to find out how to enable it for the other subnets also. *T*hank you for your input on it.


----------

