# Three NICs and NAT (routing?) issue



## nov1ce (Jan 2, 2009)

Three NICs and NAT (routing?) issue

Hi list-

I'm running FreeBSD 7.0-STABLE with three network interfaces compiled with IP Filter support (v4.1.28 (404)).

The first interface is tl0 (192.168.0.35 / 255.255.255.240), the second one is fxp0 (192.168.0.50 / 255.255.255.240) and the third one is fxp1 (10.0.10.1 / 255.255.255.0).

I would like to NAT 10.0.10 network through fxp0 interface and for some reason it doesn't work -- users are not able to pass through fxp0. Actually I don't see NAT working on fxp0 interface at all. If I do NAT through tl0 it works OK, but not with fxp0. I'm able however to ping all three interfaces from 10.0.10 network.

Here is more detailed information about my setup:

%dmesg | grep tl0
tl0: <Compaq Netelligent 10/100 Proliant> port 0x2c40-0x2c4f mem 0xc6cfccf0-0xc6cfccff irq 10 at device 7.0 on pci0
miibus0: <MII bus> on tl0
tl0: Ethernet address: 00:50:8b:50:f2:0e

%dmesg | grep fxp
fxp0: <Intel 82558 Pro/100 Ethernet> port 0x3000-0x301f mem 0xb7fff000-0xb7ffffff,0xc6e00000-0xc6efffff irq 15 at device 7.0 on pci1
fxp0: Ethernet address: 00:50:8b:6d:17:3d

fxp1: <Intel 82558 Pro/100 Ethernet> port 0x2c00-0x2c1f mem 0xb5fff000-0xb5ffffff,0xc6d00000-0xc6dfffff irq 11 at device 13.0 on pci0
fxp1: Ethernet address: 00:50:8b:01:24:bc

%cat /etc/rc.conf
defaultrouter="192.168.0.33"
ifconfig_tl0="inet 192.168.0.35 netmask 255.255.255.240"
ifconfig_fxp0="inet 192.168.0.50 netmask 255.255.255.240"
ifconfig_fxp1="inet 10.0.14.1 netmask 255.255.255.0"
gateway_enable="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"

%cat /etc/ipnat.conf
map fxp0 10.0.14.0/24 -> 0/32 portmap tcp/udp 30000:60000
map fxp0 10.0.14.0/24 -> 0/32

%netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.33 UGS 0 649736 tl0
10.0.14.0/24 link#3 UC 0 0 fxp1
192.168.0.32/28 link#1 UC 0 0 tl0
192.168.0.33 00:09:7c:61:93:30 UHLW 2 18057 tl0 1170
192.168.0.35 00:50:8b:50:f2:0e UHLW 1 564 lo0
192.168.0.48 ff:ff:ff:ff:ff:ff UHLWb 1 2 fxp0 =>
192.168.0.48/28 link#2 UC 0 0 fxp0
127.0.0.1 127.0.0.1 UH 0 31556 lo0

IP Filter is configured to allow all outgoing traffic for all three interfaces.

Does it look like a routing issue?

Any tips would be greatly appreciated!

Many thanks!


----------



## cloud (Jan 2, 2009)

Your ip forwarding is enabled ? Have you try to nat using PF ?


----------



## nov1ce (Jan 2, 2009)

Yes, ip forwarding is there:

%sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1

The strange thing is that if I enable NAT on tl0 it works as it should.

I haven't tried NAT using PF though yet.


----------



## schtipoun (Jan 2, 2009)

And if you desactive IP Filter ?

(( to know if it's a IPF rule problem ))


----------



## nov1ce (Jan 4, 2009)

Thank you guys! The issue was solved by implementing policy routing with IP Filter. However, my initial question is still valid. Assuming I don't use any firewall. How would one route NATed traffic through the secondary interface while default gateway is from the same subnet where primary interface belongs to?

Thanks!


----------



## ethoms (Feb 13, 2009)

I also wish to divert my LAN traffic via another NIC/Public IP address, whilst keeping the server traffic on 1st and default NIC. I am using ipfilter to NAT the LAN to public IP. When I change the NIC from 1st to 2nd public facing interface no traffic gets through. I guess this is because it wants to use the default route. I thought I had to use route commands (routing) to solve my problem but your solution using ipfilter policy routing is now my default route (lol). Thanks for the direction. I also am curious how to achieve this with routing. Is there a way to NAT with routing as well?


----------



## ethoms (Feb 13, 2009)

*How to direct NATed LAN to secondary public IP?*

Forgot to ask in my last post; how did you manage to get it to work using ipfilter. Is it possible you could copy & paste you ipnat.conf and ipf.conf (ipf.rules) contents, just the relevent lines. Thanks in advance.


----------

