HOWTO divert a network going  out not trought your default external ip in FreeBSD using ipfw and natd.

Keywords: divert , natd , ipfw , FreeBSD , external


I've been playing around with natd and ipfw, more specific - divert-ing.

Bulgarian version - (A little bit different)

------------------------------------------------------------------------------

Lets imagine you have three networks which are getting their internet from a single server with 2 lan cards.
The default gateway for the three netowrks is different and on the lan card at the router there are 3 aliased ips.

So, lets imagine that we have 192.168.0.0/24 , 192.168.1.0/24  and 10.0.0.0/24 .
The external ips are going to be 80.72.65.109, , 80.72.65.115.

So you have FreeBSD box setuped working just fine with natd and ipfw diverting to natd port.

something like:

#>ipfw show|grep divert
01000 321 123 divert 8668 ip from any to any via xl0

and running natd started from rc.conf.
something like:

#>ps ax|grep natd
/sbin/natd -f /etc/natd.conf

you also have two network adapters (mine are: xl0 and xl1)
configured like:
#>ifconfig xl0
 ifconfig xl0    
xl0: flags=8943 mtu 1500
        options=3
        inet 80.72.65.115 netmask 0xffffffe0 broadcast 80.72.65.127
	ether 02:53:14:b9:33:a3
        media: Ethernet autoselect (100baseTX )
        status: active
#>ifconfig xl1
xl2: flags=8843 mtu 1500
        options=3
        inet 192.168.0.100 netmask 0xfffffc00 broadcast 192.168.3.255
        inet 10.0.0.100 netmask 0xffffff00 broadcast 10.0.0.255
        inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
	ether 0a:5d:01:c1:af:e9
        media: Ethernet autoselect (100baseTX )
        status: active


So, everything is working just fine, all requests that comes from all of your internal networks 
goes into the "real world" trought ip address 80.72.65.115 and for the servers it seems that you are browsing 
directly trought this ip, for the user in all your internal nets looks like they are browsing directly in the net.
This is a tipically NAT (Network Address Translation) server.

One day you've been said: 
"I want 192.168.1.0/24 and 10.0.0.0/24 to looks like they are browsing from other ip addresses different from the current, 
 they have been restricted from this address we are using now."

and there we goes!!!

you login on the router and setup a new ip address:


#>ifconfig xl0 alias 80.72.65.109 netmask 0xffffffff

(WARNING: To have these addresses setuped again when you reboot the machine add them in rc.conf.
It sohould look something like:
ifconfig_xl0_alias1="inet 80.72.65.109 netmask 255.255.255.255" )
I planned 
80.72.65.109 <-> 192.168.1.0/24
and 
80.72.65.115 <-> 192.168.0.0/24, 10.0.0.0/24

meaning all the traffic coming from 192.168.1.0/24 goes trought different external ip.

I've read quite a lot from the manual about natd and ipfw divert.

Actually natd works the following way: 
If it haven't been told to listen for incmoing packets and for outgoing packet on different ports it listens on a single port 
(default natd port - 8668), gets all the packets on this port and aliases them to the interface or alias that has been specifyed with -n 
or with -a oprion(read natd manual).
it looks something like this (you can see this by stoping your natd and runing it with -v option)

In  [TCP]  [TCP] 80.72.67.5:80 -> 80.72.65.109:1230 aliased to
           [TCP] 80.72.67.5:80 -> 192.168.1.250:1230
Out [TCP]  [TCP] 192.168.1.250:1230 -> 80.72.67.5:80 aliased to
           [TCP] 80.72.65.109:1230 -> 80.72.67.5:80

So, when we have the rule for diverting on a sigle port this is the default natd.

If you want one of you nets to go out with different external ip you should start another natd to translate packets for this network.
You should also add divert rules fo this network....


here are my rules...
(THIS RULE MUST BE BEFORE THE DEFAULT NATD RULE! otherwise they will be diverted and will be sent from the default ip.).
# Diverting all incoming traffic on the ecternal interface from the internal network TO PORT 65350 

#>ipfw add 720 divert 65350 ip from 192.168.1.0/24 to any via xl0

# Diverting all the incoming traffic from the internet to specifyed ip where the packets for this network has been sent from.

#>ipfw add 721 divert 65351 ip from any to 80.72.65.109 via xl0

# Allow all incoming traffic (from natd) to internal network at the external interface.
#>ipfw add 781 allow ip from any to 192.168.1.0/24 via xl0


You should also chage the default rule of natd (divert natd from any to any) to not divert packets for your internet ip addresses! 
Otherwise it divrts requests mapped for 80.72.65.109 and aliases it to 80.72.65.115 so nothing happens!

#>ipfw del 1000
#>ipfw add 1000 divert natd ip from not 80.72.65.96/27 to any via xl0

# allowing traffic from this network to the internal i-face. 
(you should have this even not diverting from different natd to allow traffic for the default)
ipfw add allow ip from 192.168.1.0/24 to any via xl1
ipfw add allow ip from any to 192.168.1.0/24 via xl1


After that you run natd to alias the packets at the two ports 65350 and 65351 ;-)

#>natd -i 65350 -o 65351 -a 80.72.65.109

you are ready, all traffic coming from 192.168.1.0/24 goes out trough 80.72.65.109 and all other goes trough 80.72.65.115.

Questions and Comments at valqk [at] lozenetz [dot] org
Help me to have more free time to write docs like this, donations are VERY welcome!!!
If you want to donate, please contact me.
Special 10x to Tbyte for the help! He showed me this.