From owner-freebsd-questions Sat Mar 6 10: 9:18 1999 Delivered-To: freebsd-questions@freebsd.org Received: from vortex.ufrgs.br (vortex.ufrgs.br [143.54.1.7]) by hub.freebsd.org (Postfix) with ESMTP id CF1BF15289 for ; Sat, 6 Mar 1999 10:09:09 -0800 (PST) (envelope-from schmitt@penta.ufrgs.br) Received: from porta2.etcom.ufrgs.br (porta2.etcom.ufrgs.br) by vortex.ufrgs.br (PMDF V5.0-4 #11953) id <01J8IIY0GZZK00J5G1@vortex.ufrgs.br> for freebsd-questions@FreeBSD.ORG; Sat, 6 Mar 1999 15:09:47 GMT-02:00 Date: Sat, 06 Mar 1999 15:07:29 -0300 From: Marcelo Subject: NAT and SKIP together solution. I got it. To: freebsd-questions@FreeBSD.ORG Reply-To: schmitt@penta.ufrgs.br Message-id: <36E16EE0.2FE8C94@penta.ufrgs.br> MIME-version: 1.0 X-Mailer: Mozilla 4.04 [en] (Win95; I) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had never send a mail to the list, but as I realized that some guys had problems putting NAT and SKIP in the same interface, I would like to contribute with my solution. I didnīt put them in paralel. The situation I faced demanded that my firewall first converted the address of the originated and themm encapsulated in a tunnel. First I will explain the problem, then the solution and, at last but not least, the drawback of it. Problem a) Network 1 is 10.200.0.0. I works perfectly and it nats in order to see Internet. Our internet address is one like 200.248.195.126. b) We need to access another internal network (172.27.0.0). But that network thinks that we are network 172.29.0.0 and not 10.200.0.0 c) So, I needed to mantain Internet access (a) and make the tunnel (b). Solution a) Internet I have a natd related to external interface I divert to this natd only the packets that are not going to 172.27.0.0 (or coming from) b) Tunnel I configured an alias address - 172.29.0.1 at the external interface I have another natd to external interface, but who is associated to the alias address. I divert to that nat only packets that are going to 172.27.0.0 (or coming from) It works fine. Problem The firewall has to notify with icmp 3.4 (packet needed fragmentation) computers which want to send packets bigger than 1366 bytes, because the MTU of the external interface is modified by skip. It notifies when the connection is destined to Internet, but it doesnīt when the packet is destined to the tunnel. So I had to alter MTU in every workstation of my network. Thatīs very bad. What I would like to know is why the packet is first encapsulated by skip and only after that the system finds out that it canīt be transmitted because of MTU. Marcelo Augusto Rauh Schmitt COPS Informatica - Porto Alegre - RS Brazil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message