From owner-freebsd-security Thu Mar 8 6:37:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 8E6ED37B719 for ; Thu, 8 Mar 2001 06:37:40 -0800 (PST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.2/8.11.2) with ESMTP id f28EbJk98023; Thu, 8 Mar 2001 09:37:20 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 8 Mar 2001 09:37:18 -0500 (EST) From: Matt Piechota To: Ilya Cc: Subject: Re: vpn vs natd In-Reply-To: <013c01c0a771$e80f3e30$0100a8c0@ilya> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 7 Mar 2001, Ilya wrote: > As far as i know there is no way to make vpn work through many-to-one nat. > Only many-tomany will work. I currently have at home one-to-many (windows > clients through freebsd router), now that i need vpn, i got a second public > ip. Is it somehow possible to setup that all truffic from certin private ip > on my lan would go out as using my new ip? which i guess will reside on same > network card, whoch hosts current public ip. is it also possible to do > without breaking the config i have now? > so i am thinking, many-to-one nat for all windows clients except one, and > many-to-many for only one specific private ip. > how can i do it? You may not need the second IP. For my work's vpn, the server IP is constant, so I have natd set up to direct any incoming traffic from $SERVER_IP to a particular internal IP. It's fairly crufty, and could be considered unsecure (IP spoofing), but it does work. Anyone have a suggestion of a better way? Would ipfw with the state stuff enabled do the same job? -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message