Date: Wed, 01 Feb 2006 12:02:50 -0800 From: Julian Elischer <julian@elischer.org> To: Brian Candler <B.Candler@pobox.com> Cc: Tiago Cruz <tiagocruz@b4br.net>, "freebsd-net@FreeBSD.org" <freebsd-net@freebsd.org> Subject: Re: Network client is the same from server Message-ID: <43E113EA.60008@elischer.org> In-Reply-To: <20060201134633.GB78696@uk.tiscali.com> References: <1138387362.4742.9.camel@localhost.localdomain> <43DA6C6A.7050701@elischer.org> <1138390041.4742.19.camel@localhost.localdomain> <43DA8E70.2070804@elischer.org> <1138621574.18130.26.camel@localhost.localdomain> <43DE6030.4090702@elischer.org> <20060131123042.GA74812@uk.tiscali.com> <1138713557.25466.4.camel@localhost.localdomain> <43DFCBBC.7000206@elischer.org> <20060201134633.GB78696@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler wrote: >On Tue, Jan 31, 2006 at 12:42:36PM -0800, Julian Elischer wrote: > > >>>And, If I have't not control about the second gateway? Because my client >>>have a notebook, and he can try connect at anyplace, anytime :-( >>> >>>So, I think that is impossible to to... is true? >>> >>> >>> >>> >>no, >>you should be able to do it all on your own machine I think.. >>by NATing on both interfaces, effectively puting your machine in the middle, >>with one natd on each interface. >> >> > >Some careful thought is needed though. Before: > > 192.168.0.0/24 [nat1] [nat2] 192.168.0.0/24 > ------+---------- GW1 -------------------- GW2 -----+----------- > | | > X Y > >After: > > 192.168.0.0/24 192.168.0.0/24 > ------+---------- GW1 -------------------- GW2 -----+----------- > | [nat1] [nat2] | > X Y > >In this example, the sense of 'inbound' and 'outbound' is wrong for each >natd, which you might be able to fix using -reverse on both of them. > >Or: > > 192.168.0.0/24 192.168.0.0/24 > ------+---------- GW1 -------------------- GW2 -----+----------- > | [nat2] [nat1] | > X Y > >Here the in/out sense is the same, but now we're doing nat2's processing >before nat1's. Is that a problem? I think it is. > >* Packet from 192.168.0.1 to 192.168.200.1 > - at nat2: destination changed to 192.168.0.1 > - at nat1: source changed to 192.168.100.1 > >Trouble is that at the first step, the destination is now 192.168.0.1, which >means it will be delivered back to the local LAN instead of out of the >external interface. > >So a pair of natd's with -reverse and 254 -redirect_address flags each >*might* be able to fix your problem. If it gets any more complex than this - >let's say you need another natd for traffic destined to the public Internet, >while traffic to 192.168.200.0/24 is nat'd down a tunnel to the second >network - then it becomes a PITA. > > it does work.. I've done it once.. the secret is to make sure that each natd ONLY gets the packets for the interface for which it is responsible, so the ipfw rules are very important. you need to make use of ipfw's interface clauses. >I don't like natd/ipfw interaction, if you hadn't guessed :-) > >OTOH, it might not be easy to make work with pf either. You should only need >two 'binat' rules, but I'm not sure how you go about reversing the in/out >sense. There's a separate freebsd-pf mailing list which might be able to >help. > >Regards, > >Brian. >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E113EA.60008>