From owner-freebsd-net Wed Jul 11 10:31:30 2001 Delivered-To: freebsd-net@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id 155C637B406 for ; Wed, 11 Jul 2001 10:31:26 -0700 (PDT) (envelope-from matt-l@pacbell.net) Received: from fire (1Cust243.tnt1.pasadena.ca.da.uu.net [63.28.226.243]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with SMTP id KAA04986; Wed, 11 Jul 2001 10:31:22 -0700 (PDT) Message-ID: <003f01c10a2e$6ccb4a00$6503c23f@XGforce.com> Reply-To: "matt" From: "matt" To: "Peter Brezny" , References: Subject: Re: need help with divert to avoid dual dns..is it possible? Date: Wed, 11 Jul 2001 10:25:02 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, if ipfw cann't do the work, you can check out ipfilter module as well. It's a bit different in nat code. ====================================== WWW.XGFORCE.COM The Next Generation Load Balance and Fail Safe Server Clustering Software for the Internet. ====================================== ----- Original Message ----- From: Peter Brezny To: Sent: Wednesday, July 11, 2001 9:49 AM Subject: need help with divert to avoid dual dns..is it possible? > I'm trying to come up with a way to avoid having to run an internal and an > external dns for our network. > > Here's the basic layout. > > primary +--private LAN 1 > router | > internet --- ipfw with nat --+--private LAN 2 > | > +--private LAN 3 > > > Each of these private LAN's have public services run on boxes with a static > nat address assigned to them from the primary ipfw with nat box. > > So if someone wants to browse a web hosted on private LAN 1 from the public > internet, no problem, the dns points them to the public ip on the primary > router designated to static nat to a box on private LAN 1. > > However, if someone on private lan2 makes the same request, using the public > DNS, the packet never arrives because it never goes through the external > interface on the primary router and therefore does not get translated to the > private ip on the destination box. > > To overcome this problem, I've created an internal dns that points requests > made from within the private LAN space direct to the private ip's of the > boxes hosting the public services. > > However, I'd like to eliminate this requirement. > > I attempted to work something out with the ipfw fwd action, but I don't > think I really understand how fwd works and I'm guessing it's not really > meant to do what I'm after. > > The other thought I had was to run a second instance of natd on the internal > interface with the -redirect_address option and a specific list of static > nat redirects in internal_natd.conf, however, I don't want public packets > source ip's translated to the internal interface ip as they leave the > internal interface headed for the private networks. > > Is there another flag, similar to -unregistered_only where I could specify > that natd translate _only_ addresses coming into the internal interface > bound for specific addresses listed in natd.conf for static nat? > > OR... > > is there another way to do this without using a divert socket, something > just within ipfw. > > Thanks a lot for taking the time to read through all this. > > Peter Brezny > SysAdmin Services Inc. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message