From owner-freebsd-net@FreeBSD.ORG Tue Jun 28 09:39:48 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B51516A41C for ; Tue, 28 Jun 2005 09:39:48 +0000 (GMT) (envelope-from net@dino.sk) Received: from bsd.dino.sk (bsd.dino.sk [213.215.72.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A17E443D1F for ; Tue, 28 Jun 2005 09:39:46 +0000 (GMT) (envelope-from net@dino.sk) Received: from home.dino.sk ([213.215.74.194]) (AUTH: LOGIN milan) by bsd.dino.sk with esmtp; Tue, 28 Jun 2005 11:42:37 +0200 id 00000102.42C11B8D.00016E08 From: Milan Obuch To: freebsd-net@freebsd.org Date: Tue, 28 Jun 2005 11:39:13 +0200 User-Agent: KMail/1.8 References: <42C0DB3B.6000606@elischer.org> <20050628074640.GY1283@obiwan.tataz.chchile.org> In-Reply-To: <20050628074640.GY1283@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506281139.17582.net@dino.sk> Subject: Re: Julian's netowrking challenge 2005 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 09:39:48 -0000 On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote: > Hi Julian, > > > The challenge: > > > > figure out a way so that all teh users on the network behind fxp0 > > hcan use the internet using the T1 attached to the cisco off fxp1 > > while all the advertised services (about 8 of them, few enough to > > list by hand in rules etc.) which are also behind fxp0 but acccessed by > > NAT'd addresses from the addresses on fxp1's net are accessed soly via > > that T1. > > > > [...] > > > > I can get the 'forward' direction easily.. i.e. incoming packets. > > > > It's the reverse direction that doesn't work for me. > > I considerred running 2 NATDs > > but I need to run ipfw to identify teh reverse streams to force back via > > fxp2 > > and the only way I can do that is by using the 'fwd' command. > > if I do that I can't divert them and if I divert them to natd first, I > > can't 'fwd' them afterwards as the NATing is already done for the other > > (wrong) interface. > > You definitely want a non-terminal "fwd" command. > Ari Suutari has just implemented the "setnexthop" action that does the > trick, I think the patch [1] is waiting to be commited in -CURRENT. > I don't think this would be really difficult to backport to RELENG_4. > I think this is good solution for him. At least once I needed to solve something similar, no luck then... > Hope this helps. > Regards, > > [1] http://lists.freebsd.org/pipermail/freebsd-net/2005-June/007710.html > > PS: I'm seeing more and more requests about routing limitations in > FreeBSD everyday, such as lack of multiple routing tables support, lack > of source routing (as well as higher level protocol based routing). > Are there actually some projects that are being worked on to overcome > this ? I used Marko Zec's virtualization patch for multiple VPN management and monitoring and it worked great. It does exist for 4-RELEASE, however. I am not ready to do anything like this yet, but if someone would work on sothing similar for newer releases, I would be really willing to try it out and test. I need to solve some multiple VPN problem again and using legacy release is the only option, but something newer would be really better. Regards, Milan