From owner-freebsd-net@FreeBSD.ORG Tue Feb 23 01:10:36 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6065106566B for ; Tue, 23 Feb 2010 01:10:36 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 233A88FC08 for ; Tue, 23 Feb 2010 01:10:35 +0000 (UTC) Received: (qmail 83095 invoked by uid 89); 23 Feb 2010 01:14:57 -0000 Received: from unknown (HELO ?192.168.1.114?) (steve@ibctech.ca@::ffff:208.70.104.100) by ::ffff:208.70.104.210 with ESMTPA; 23 Feb 2010 01:14:56 -0000 Message-ID: <4B832B14.3090406@ibctech.ca> Date: Mon, 22 Feb 2010 20:10:44 -0500 From: Steve Bertrand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 To: Christian Ullrich References: <4B7C62AF.6000904@chrullrich.net> <4B7CA72A.4050202@ibctech.ca> <4B7CD0CB.4080105@chrullrich.net> In-Reply-To: <4B7CD0CB.4080105@chrullrich.net> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Routing into overlapping subnets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Feb 2010 01:10:36 -0000 On 2010.02.18 00:31, Christian Ullrich wrote: > * Steve Bertrand wrote: > >> On 2010.02.17 16:42, Christian Ullrich wrote: > >>> send the packet. Why doesn't the kernel look up an ARP table entry by >>> both IP address and interface? >> >> That's not how the protocols were designed, and thankfully so. Imagine >> the potential for spoofing if this were allowed by default ;) > > You're right, of course. I had not considered that. > >> I have a couple of ideas, but need to understand better of your setup. >> Advise if this seems semi-accurate: >> >> - you house global resources for a bunch of clients at a central location >> - you have limited public IP addresses to do this with, or your central >> location is located within the same 'building' as all of the clients > > The latter. > >> - you have several clients with overlapping 1918 space >> - you need a method to have two instances of eg 192.168.1.110 accessing >> a single central resource, but which will be coming in on two separate >> interfaces (physical or virtual) >> - the central services (ie printer) doesn't have the capability to house >> more than a single IPv4 address >> - you do not want to be open to the potential for one client accessing >> the others networks >> - you have absolute control over the pf box >> >> is this right? > > Exactly right. Contact me off-list, and I'll see if I can help with either cleaning this up, or with a dirty hack. We'll post any positive results to the list. Steve