Date: Mon, 6 Jul 2009 18:53:44 +0200 From: Giuliano Gavazzi <dev+lists@humph.com> To: Kim Attree <kim.attree@playsafesa.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: Problem with source based policy routing Message-ID: <D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7@humph.com> In-Reply-To: <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: > I have one Internal Exchange server (don't laugh), and NAT handles > the static mapping of IP/Port to that server. The original point > here is to have two mapped NAT port 25's to the same internal Mail > server, hence the addition of the NAT before and during the forward > logic (obviously wrong though). > ah, if you want to have an internal server to be reachable on both public addresses, via the corresponding two firewall interfaces, you must have a way to tell the firewall how to distinguish the return packets in order to use the correct natd instance. If the internal exchange server port is the same, there is no way telling that. At most you could use the peer port, but even that would not be failproof, and I would not know how to proceed (I think dynamic rules can only establish holes - allow action - in the firewall, not a fwd action). So you must use two different ports or alias addresses on the exchange server, and divert to the appropriate outgoing natd instance on the basis of that. I have not enough time at the moment to write down a complete workflow, but I hope this, with the remarks in my previous post, gives you enough hints. Giuliano
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7>