Date: Sat, 06 Mar 1999 15:07:29 -0300 From: Marcelo <schmitt@penta.ufrgs.br> To: freebsd-questions@FreeBSD.ORG Subject: NAT and SKIP together solution. I got it. Message-ID: <36E16EE0.2FE8C94@penta.ufrgs.br>
next in thread | raw e-mail | index | archive | help
I had never send a mail to the list, but as I realized that some guys
had problems putting NAT and SKIP in the same interface, I would like to
contribute with my solution. I didnīt put them in paralel. The situation
I faced demanded that my firewall first converted the address of the
originated and themm encapsulated in a tunnel.
First I will explain the problem, then the solution and, at last but not
least, the drawback of it.
Problem
a) Network 1 is 10.200.0.0. I works perfectly and it nats in order to
see Internet. Our internet address is one like 200.248.195.126.
b) We need to access another internal network (172.27.0.0). But that
network thinks that we are network 172.29.0.0 and not 10.200.0.0
c) So, I needed to mantain Internet access (a) and make the tunnel
(b).
Solution
a) Internet
I have a natd related to external interface
I divert to this natd only the packets that are not going to
172.27.0.0 (or coming from)
b) Tunnel
I configured an alias address - 172.29.0.1 at the external interface
I have another natd to external interface, but who is associated to
the alias address.
I divert to that nat only packets that are going to 172.27.0.0 (or
coming from)
It works fine.
Problem
The firewall has to notify with icmp 3.4 (packet needed
fragmentation) computers which want to send packets bigger than 1366
bytes, because the MTU of the external interface is modified by skip. It
notifies when the connection is destined to Internet, but it doesnīt
when the packet is destined to the tunnel. So I had to alter MTU in
every workstation of my network. Thatīs very bad.
What I would like to know is why the packet is first encapsulated by
skip and only after that the system finds out that it canīt be
transmitted because of MTU.
Marcelo Augusto Rauh Schmitt
COPS Informatica -
Porto Alegre - RS
Brazil
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36E16EE0.2FE8C94>