From owner-freebsd-net@FreeBSD.ORG Tue Jun 28 05:18:21 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B8816A41F for ; Tue, 28 Jun 2005 05:18:21 +0000 (GMT) (envelope-from julian@elischer.org) Received: from delight.idiom.com (delight.idiom.com [216.240.32.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 934FC43D1D for ; Tue, 28 Jun 2005 05:18:21 +0000 (GMT) (envelope-from julian@elischer.org) Received: from idiom.com (idiom.com [216.240.32.1]) by delight.idiom.com (Postfix) with ESMTP id 76C7D1F8980 for ; Mon, 27 Jun 2005 22:18:21 -0700 (PDT) Received: from [192.168.2.5] (home.elischer.org [216.240.48.38]) by idiom.com (8.12.11/8.12.11) with ESMTP id j5S5IJJW045024; Mon, 27 Jun 2005 22:18:19 -0700 (PDT) (envelope-from julian@elischer.org) Message-ID: <42C0DD98.7090504@elischer.org> Date: Mon, 27 Jun 2005 22:18:16 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050424 X-Accept-Language: en, hu MIME-Version: 1.0 To: Julian Elischer References: <42C0DB3B.6000606@elischer.org> In-Reply-To: <42C0DB3B.6000606@elischer.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: Julian's networking challenge 2005 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 05:18:21 -0000 This time with fewer typos.. Julian Elischer wrote: > > So for reasons that I won't go into, I find myself renumbering half of a > company. However I have a particular problem I can't figure out how to fix. > > I have a gateway/firewall machine running 4.x > > It has 3 interfaces > > fxp0 goes to the internal trusted network fxp1 goes to the internet via a T1 > via a cisco box, but is shared with another section of the company. the > company web service is advertised as coming from an address that is > advertised as being on this T1. So are other services. > > fxp2 also goes to the intenet via a cisco box however nothing is using it at > the moment. > > The one shared T1 is being flooded out by users behind this machine much to > the annoyance of the users on the other part of the company. This is supposed > to be their T1. > > For reasons that are beyond the scope of this problem, the advertised DNS > addresses for the services advertised, can not just be switched to be via the > other t1. > > The network attached to fxp0 needs to be NAT'd to use the Internet as it is > using illegal numbers. > > The challenge: > > Figure out a way so that all the users on the network behind fxp0 can use the > internet using the T1 attached to the cisco off fxp1 while all the advertised > services (about 8 of them, few enough to list by hand in rules etc.) which > are also behind fxp0 but acccessed by NAT'd addresses from the range on > fxp1's net are accessed soley via that T1. > > [ internet ] > | | > T1 T1 > | | > [cisco] [cisco]--------[other part of company] > | | > [fxp1] [fxp2] > [ freebsd 4.x ] > [fxp0] > | > | > -----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)----- > | | | > [server 1 ] [server 2] [lots of users] > > I can get the 'forward' direction easily.. i.e. incoming packets. > > It's the reverse direction that doesn't work for me. I considered running 2 > NATDs but I need to run ipfw to identify the reverse streams to force back > via fxp2 and the only way I can do that is by using the 'fwd' command. If I > do that I can't divert them and if I divert them to natd first, I can't 'fwd' > them afterwards as the NATing is already done for the other (wrong) > interface. > > I almost want to add a route add FROM Server 1 via [fxp2 cisco] which I've > seen people request but until now I've never understood why.. > > > for points: > It may be possible by making the bsd box actually 3 boxes > joined by a 10.x.x.x interface. describe how.. > > Your friend with less and less hair.. > > julian > > >