How to configure with multiple NATs via nuclear NAT?

B

bestdk22017-02-14 22:11:15

FreeBSD

bestdk2, 2017-02-14 22:11:15

Good evening.
There is a server with 3 interfaces, one external (em0) and two local (em1 - for the first local network, em2 - for the second).
What is the task: when accessing em0 and em2 via FTP, it should redirect to the machine in the first locale (192.168.1.10).
I wrote these rules for redirecting from em0 (10.0.2.15):
add allow ip from any to any via em1
nat 1 config if em0 reset redirect_port tcp 192.168.1.10:20-21 20-21
add nat 1 ip from any to any via em0 // for LAN internet
add nat 1 tcp from any to 10.0.2.15 20-21
add nat 1 tcp from 192.168.1.10 20-21 to any
this configuration works, redirects everything.
Now you need to add a redirect if someone wants to connect from the second locale (em2- 192.168.0.1):
add allow ip from any to any via em1
add allow ip from any to any via em2
nat 1 config if em0 reset redirect_port tcp 192.168.1.10 :20-21 20-21
nat 2 config if em2 reset redirect_port tcp 192.168.1.10:20-21 20-21
add nat 1 ip from any to any via em0 // for LAN internet
add nat 1 tcp from any to 10.0. 2.15 20-21
add nat 1 tcp from 192.168.1.10 20-21 to any
add nat 2 tcp from any to 192.168.0.1 20-21
add nat 2 tcp from 192.168.1.10 20-21 to
any nat 1 work, nat 2 doesn't.
How to fix it?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

athacker, 2017-02-15
@bestdk2

Why do you need firewall rules for processing traffic from the second locale? Set up routing normally and you won't need a second NAT at all.

B

bestdk2, 2017-02-15
@bestdk2

Finally did this:

ipfw nat 1 config if em0 reset \ //Настройка первого набора NAT правил
redirect_port tcp 192.168.1.10:20-21 20-21 //Правило переадресации порта для FTP
ipfw nat 2 config if em2 reset \ // Настройка второго набора NAT правил
redirect_port tcp 192.168.1.10:20-21 20-21 //Правило переадресации порта для FTP
ipfw add skipto 1000 tcp from 192.168.1.10 20-21 to any xmit em0 // переход к 1000му правилу, если ответ FTP сервера проходит через интерфейс em0
ipfw add skipto 2000 tcp from 192.168.1.10 20-21 to 192.168.0.0/24 // переход к 2000му правилу, если ответ FTP сервера идет во вторую локальную сеть (можно сделать аналогично предыдущему правилу, xmit em2)
ipfw add 1000 nat 1 tcp from any to 10.0.2.15 20-21 
ipfw add 1100 nat 1 tcp from 192.168.1.10 to any
ipfw add 1200 nat 1 ip from any to any via em0
ipfw add 2000 nat 2 tcp from any to 192.168.0.1 20-21
ipfw add 2100 nat 2 tcp from 192.168.1.10 to any

These rules should work according to the following logic:
If the packet is not transmitted on ports 20-21, then it easily reaches rule 1200 and is passed by the firewall. But if the packet belongs to FTP, then at first it reaches the 1000th rule if it is sent to em0 and up to 2000 if it is sent to em2, from there it is sent to the FTP server. Skipto rules are needed to correctly distribute the server response, because 1100 and 2100 rules are relevant and without skipto, NAT rules can be applied incorrectly (instead of nat 2, responses from machines on the second local network will be processed by nat 1).
I did an example, purely as a training one, therefore it is not the safest. It seems to work.