Date: Tue, 28 Jun 2005 11:39:13 +0200 From: Milan Obuch <net@dino.sk> To: freebsd-net@freebsd.org Subject: Re: Julian's netowrking challenge 2005 Message-ID: <200506281139.17582.net@dino.sk> In-Reply-To: <20050628074640.GY1283@obiwan.tataz.chchile.org> References: <42C0DB3B.6000606@elischer.org> <20050628074640.GY1283@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote: > Hi Julian, > > > The challenge: > > > > figure out a way so that all teh users on the network behind fxp0 > > hcan use the internet using the T1 attached to the cisco off fxp1 > > while all the advertised services (about 8 of them, few enough to > > list by hand in rules etc.) which are also behind fxp0 but acccessed by > > NAT'd addresses from the addresses on fxp1's net are accessed soly via > > that T1. > > > > [...] > > > > I can get the 'forward' direction easily.. i.e. incoming packets. > > > > It's the reverse direction that doesn't work for me. > > I considerred running 2 NATDs > > but I need to run ipfw to identify teh reverse streams to force back via > > fxp2 > > and the only way I can do that is by using the 'fwd' command. > > if I do that I can't divert them and if I divert them to natd first, I > > can't 'fwd' them afterwards as the NATing is already done for the other > > (wrong) interface. > > You definitely want a non-terminal "fwd" command. > Ari Suutari has just implemented the "setnexthop" action that does the > trick, I think the patch [1] is waiting to be commited in -CURRENT. > I don't think this would be really difficult to backport to RELENG_4. > I think this is good solution for him. At least once I needed to solve something similar, no luck then... > Hope this helps. > Regards, > > [1] http://lists.freebsd.org/pipermail/freebsd-net/2005-June/007710.html > > PS: I'm seeing more and more requests about routing limitations in > FreeBSD everyday, such as lack of multiple routing tables support, lack > of source routing (as well as higher level protocol based routing). > Are there actually some projects that are being worked on to overcome > this ? I used Marko Zec's virtualization patch for multiple VPN management and monitoring and it worked great. It does exist for 4-RELEASE, however. I am not ready to do anything like this yet, but if someone would work on sothing similar for newer releases, I would be really willing to try it out and test. I need to solve some multiple VPN problem again and using legacy release is the only option, but something newer would be really better. Regards, Milan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506281139.17582.net>