Date: Mon, 27 Jun 2005 22:18:16 -0700 From: Julian Elischer <julian@elischer.org> To: Julian Elischer <julian@elischer.org> Cc: net@freebsd.org Subject: Re: Julian's networking challenge 2005 Message-ID: <42C0DD98.7090504@elischer.org> In-Reply-To: <42C0DB3B.6000606@elischer.org> References: <42C0DB3B.6000606@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This time with fewer typos.. Julian Elischer wrote: > > So for reasons that I won't go into, I find myself renumbering half of a > company. However I have a particular problem I can't figure out how to fix. > > I have a gateway/firewall machine running 4.x > > It has 3 interfaces > > fxp0 goes to the internal trusted network fxp1 goes to the internet via a T1 > via a cisco box, but is shared with another section of the company. the > company web service is advertised as coming from an address that is > advertised as being on this T1. So are other services. > > fxp2 also goes to the intenet via a cisco box however nothing is using it at > the moment. > > The one shared T1 is being flooded out by users behind this machine much to > the annoyance of the users on the other part of the company. This is supposed > to be their T1. > > For reasons that are beyond the scope of this problem, the advertised DNS > addresses for the services advertised, can not just be switched to be via the > other t1. > > The network attached to fxp0 needs to be NAT'd to use the Internet as it is > using illegal numbers. > > The challenge: > > Figure out a way so that all the users on the network behind fxp0 can use the > internet using the T1 attached to the cisco off fxp1 while all the advertised > services (about 8 of them, few enough to list by hand in rules etc.) which > are also behind fxp0 but acccessed by NAT'd addresses from the range on > fxp1's net are accessed soley via that T1. > > [ internet ] > | | > T1 T1 > | | > [cisco] [cisco]--------[other part of company] > | | > [fxp1] [fxp2] > [ freebsd 4.x ] > [fxp0] > | > | > -----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)----- > | | | > [server 1 ] [server 2] [lots of users] > > I can get the 'forward' direction easily.. i.e. incoming packets. > > It's the reverse direction that doesn't work for me. I considered running 2 > NATDs but I need to run ipfw to identify the reverse streams to force back > via fxp2 and the only way I can do that is by using the 'fwd' command. If I > do that I can't divert them and if I divert them to natd first, I can't 'fwd' > them afterwards as the NATing is already done for the other (wrong) > interface. > > I almost want to add a route add FROM Server 1 via [fxp2 cisco] which I've > seen people request but until now I've never understood why.. > > > for points: > It may be possible by making the bsd box actually 3 boxes > joined by a 10.x.x.x interface. describe how.. > > Your friend with less and less hair.. > > julian > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42C0DD98.7090504>