[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  monowall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Using multiple Ip's on WAN port (Server NAT)
 Date:  Thu, 28 Feb 2008 19:01:01 -0500
On Thu, Feb 28, 2008 at 5:30 AM, Roland Giesler
<roland at thegreentree dot za dot net> wrote:
>  Just so I understand this better:  If I have an alias in FreeBSD on a
>  netcard, then that card will respond to pings on both addresses (or
>  however many addresses I've added).  Now if I have an ip on the WAN
>  port and allow pings to it, it will respond when I ping it.  If I add
>  another ip address (Server NAT), then the mechanism employed to
>  "allow" that address is obviously not like when I add an alias, right?
>   How is it done though?

Right, it's strictly proxy ARP. This is better than IP aliases because
there is no way a service bound locally on the box can interfere with
your NAT, you can't inadvertently open your webGUI to the Internet on
the extra IPs, and probably other reasons I'm not thinking of offhand.

> TCP/UDP ports can be NAT'ed to another host,
>  but ICMP not.  Could you tell me (and the list) please how this is
>  actually done.  I know now I should be using 1:1 NAT, but I'd like to
>  learn what actually happens here.

That's a limitation of the NAT component used in m0n0wall, it can only
NAT TCP and UDP unless you do 1:1.