From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 12:18:45 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4E4916A418 for ; Wed, 26 Sep 2007 12:18:45 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from pollux.dfwlp.com (rrcs-64-183-212-244.sw.biz.rr.com [64.183.212.244]) by mx1.freebsd.org (Postfix) with ESMTP id 9ABF313C458 for ; Wed, 26 Sep 2007 12:18:45 +0000 (UTC) (envelope-from freebsd@dfwlp.com) Received: from athena.dfwlp.com (athena.dfwlp.com [192.168.125.82]) (authenticated bits=0) by pollux.dfwlp.com (8.13.8/8.13.8) with ESMTP id l8QCIHeF004083 for ; Wed, 26 Sep 2007 07:18:33 -0500 (CDT) (envelope-from freebsd@dfwlp.com) From: Jonathan Horne To: freebsd-questions@freebsd.org Date: Wed, 26 Sep 2007 07:18:07 -0500 User-Agent: KMail/1.9.7 References: <200709250946.58855.freebsd@dfwlp.com> <200709252048.34245.freebsd@dfwlp.com> <200709261028.49258.nvass@teledomenet.gr> In-Reply-To: <200709261028.49258.nvass@teledomenet.gr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709260718.07589.freebsd@dfwlp.com> X-Spam-Status: No, score=-4.4 required=3.6 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on pollux.dfwlp.com Subject: Re: pf redirect question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 12:18:45 -0000 On Wednesday 26 September 2007 02:28:48 Nikos Vassiliadis wrote: > No, don't use the IP on your server. Why you should do such a thing? > why not? i did specify that the old server is decommissioning and would be permenantly downed. > You just have to make sure that packets ($old_server <-> $world) > are routed through your $pf box. I guess that's the case for you. > pf will just translate the destination address from $old_server > to $new_server. > yes, any client or server would be able to route across the wan to the new ip at the other end. > BUT, which is this service you are talking about? Cause that's not > feasible with everything. > > Nikos ultimately, i want to route some Mcafee ePolicy clients to use another server. weve installed our new agent on all our machines, but i still have a handful of clients that are "roamers" who are checking in via the vpn concentrator, which i cannot physically get to their machines to perform their upgrade. if i can re-route their check-in server to our new server (and yes, the inbound vpn also uses all the same routes to other sites as our internal core switches), that would a) not knock those roaming clients off antivirus updates, b) i could also use the same trick to upgrade our server farm, and c) our new york office is lagging way behind on their client upgrades, and this would help them out as well (by directing anyone remaining over to the new server, which is in chicago). so far, i was trying it out, by trying to redirect port 80 on my laptop, to a monitoring service on the server at 10.22.192.131:8080, but it would just die if i tried to telnet to my laptops port 80 (from some other machine, not the laptop or test server). was my syntax in my example incorrect? thanks, -- Jonathan Horne http://dfwlpiki.dfwlp.org freebsd@dfwlp.com