From owner-freebsd-net@FreeBSD.ORG Wed Feb 1 13:46:39 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 390F516A420 for ; Wed, 1 Feb 2006 13:46:39 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1E3643D48 for ; Wed, 1 Feb 2006 13:46:38 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id B35A9BD; Wed, 1 Feb 2006 08:46:59 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 3BFA09E2C; Wed, 1 Feb 2006 08:46:57 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F4IJd-000KVo-Da; Wed, 01 Feb 2006 13:46:33 +0000 Date: Wed, 1 Feb 2006 13:46:33 +0000 From: Brian Candler To: Julian Elischer Message-ID: <20060201134633.GB78696@uk.tiscali.com> References: <1138387362.4742.9.camel@localhost.localdomain> <43DA6C6A.7050701@elischer.org> <1138390041.4742.19.camel@localhost.localdomain> <43DA8E70.2070804@elischer.org> <1138621574.18130.26.camel@localhost.localdomain> <43DE6030.4090702@elischer.org> <20060131123042.GA74812@uk.tiscali.com> <1138713557.25466.4.camel@localhost.localdomain> <43DFCBBC.7000206@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43DFCBBC.7000206@elischer.org> User-Agent: Mutt/1.4.2.1i Cc: Tiago Cruz , "freebsd-net@FreeBSD.org" Subject: Re: Network client is the same from server X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 13:46:39 -0000 On Tue, Jan 31, 2006 at 12:42:36PM -0800, Julian Elischer wrote: > >And, If I have't not control about the second gateway? Because my client > >have a notebook, and he can try connect at anyplace, anytime :-( > > > >So, I think that is impossible to to... is true? > > > > > no, > you should be able to do it all on your own machine I think.. > by NATing on both interfaces, effectively puting your machine in the middle, > with one natd on each interface. Some careful thought is needed though. Before: 192.168.0.0/24 [nat1] [nat2] 192.168.0.0/24 ------+---------- GW1 -------------------- GW2 -----+----------- | | X Y After: 192.168.0.0/24 192.168.0.0/24 ------+---------- GW1 -------------------- GW2 -----+----------- | [nat1] [nat2] | X Y In this example, the sense of 'inbound' and 'outbound' is wrong for each natd, which you might be able to fix using -reverse on both of them. Or: 192.168.0.0/24 192.168.0.0/24 ------+---------- GW1 -------------------- GW2 -----+----------- | [nat2] [nat1] | X Y Here the in/out sense is the same, but now we're doing nat2's processing before nat1's. Is that a problem? I think it is. * Packet from 192.168.0.1 to 192.168.200.1 - at nat2: destination changed to 192.168.0.1 - at nat1: source changed to 192.168.100.1 Trouble is that at the first step, the destination is now 192.168.0.1, which means it will be delivered back to the local LAN instead of out of the external interface. So a pair of natd's with -reverse and 254 -redirect_address flags each *might* be able to fix your problem. If it gets any more complex than this - let's say you need another natd for traffic destined to the public Internet, while traffic to 192.168.200.0/24 is nat'd down a tunnel to the second network - then it becomes a PITA. I don't like natd/ipfw interaction, if you hadn't guessed :-) OTOH, it might not be easy to make work with pf either. You should only need two 'binat' rules, but I'm not sure how you go about reversing the in/out sense. There's a separate freebsd-pf mailing list which might be able to help. Regards, Brian.