From owner-freebsd-questions  Sat Apr 27 18:42:52 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from pianosa.catch22.org (pianosa.catch22.org [64.81.48.19])
	by hub.freebsd.org (Postfix) with ESMTP id 27BB137B404
	for <freebsd-questions@freebsd.org>; Sat, 27 Apr 2002 18:42:50 -0700 (PDT)
Received: by pianosa.catch22.org (Postfix, from userid 1006)
	id 990AD2C5; Sat, 27 Apr 2002 18:42:49 -0700 (PDT)
Date: Sat, 27 Apr 2002 18:42:49 -0700
From: Danny Howard <dannyman@toldme.com>
To: freebsd-questions@freebsd.org
Subject: ipfw/natd redirect external IP to protected net?
Message-ID: <20020427184249.B13388@pianosa.catch22.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Loop: djhoward@uiuc.edu
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Home network: DSL subnet -> FreeBSD ipfw/natd -> 10.net

Now I have a netscreen box, a VPN box which is meant to sit on a public
address on the DSL subnet, in front of the firewall, and supply access
to the 10.net at work.

Unfortunately, it would be non-trivial for me to locate the Netscreen in
front of the firewall, so I'm trying to figure out if there is a way for
the firewall to provide access to its IP address as if it were not
behind the firewall.

I am already using -redirect_address so that the firewall can bind an IP
on the DSL subnet as an alias, and then redirect it to a machine on the
10.net.  This is sub-optimal even in the case where I can give out a
10.net address, because the machine can't find itself unless it also
aliases the public IP address. :/  THEN for some reason, other machines
on the protected 10.net can't reach that machine either! :(

And, in this case, the netscreen COULDN'T bind a 10.net address because
it's already tunneling a 10.net to us, and that's a paradox, I think.

ARGH!

Any ideas?  I think I have to crawl under the house with some CAT5 ...

-danny

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message