Date: Wed, 1 Feb 2006 13:46:33 +0000 From: Brian Candler <B.Candler@pobox.com> To: Julian Elischer <julian@elischer.org> Cc: Tiago Cruz <tiagocruz@b4br.net>, "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org> Subject: Re: Network client is the same from server Message-ID: <20060201134633.GB78696@uk.tiscali.com> In-Reply-To: <43DFCBBC.7000206@elischer.org> References: <1138387362.4742.9.camel@localhost.localdomain> <43DA6C6A.7050701@elischer.org> <1138390041.4742.19.camel@localhost.localdomain> <43DA8E70.2070804@elischer.org> <1138621574.18130.26.camel@localhost.localdomain> <43DE6030.4090702@elischer.org> <20060131123042.GA74812@uk.tiscali.com> <1138713557.25466.4.camel@localhost.localdomain> <43DFCBBC.7000206@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 31, 2006 at 12:42:36PM -0800, Julian Elischer wrote:
> >And, If I have't not control about the second gateway? Because my client
> >have a notebook, and he can try connect at anyplace, anytime :-(
> >
> >So, I think that is impossible to to... is true?
> >
> >
> no,
> you should be able to do it all on your own machine I think..
> by NATing on both interfaces, effectively puting your machine in the middle,
> with one natd on each interface.
Some careful thought is needed though. Before:
192.168.0.0/24 [nat1] [nat2] 192.168.0.0/24
------+---------- GW1 -------------------- GW2 -----+-----------
| |
X Y
After:
192.168.0.0/24 192.168.0.0/24
------+---------- GW1 -------------------- GW2 -----+-----------
| [nat1] [nat2] |
X Y
In this example, the sense of 'inbound' and 'outbound' is wrong for each
natd, which you might be able to fix using -reverse on both of them.
Or:
192.168.0.0/24 192.168.0.0/24
------+---------- GW1 -------------------- GW2 -----+-----------
| [nat2] [nat1] |
X Y
Here the in/out sense is the same, but now we're doing nat2's processing
before nat1's. Is that a problem? I think it is.
* Packet from 192.168.0.1 to 192.168.200.1
- at nat2: destination changed to 192.168.0.1
- at nat1: source changed to 192.168.100.1
Trouble is that at the first step, the destination is now 192.168.0.1, which
means it will be delivered back to the local LAN instead of out of the
external interface.
So a pair of natd's with -reverse and 254 -redirect_address flags each
*might* be able to fix your problem. If it gets any more complex than this -
let's say you need another natd for traffic destined to the public Internet,
while traffic to 192.168.200.0/24 is nat'd down a tunnel to the second
network - then it becomes a PITA.
I don't like natd/ipfw interaction, if you hadn't guessed :-)
OTOH, it might not be easy to make work with pf either. You should only need
two 'binat' rules, but I'm not sure how you go about reversing the in/out
sense. There's a separate freebsd-pf mailing list which might be able to
help.
Regards,
Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060201134633.GB78696>