Date: Mon, 24 Jul 2006 04:58:04 +0400 (MSD) From: .@babolo.ru To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: Multiple NAT router Message-ID: <1153702684.732309.10933.nullmailer@cicuta.babolo.ru> In-Reply-To: <7.0.1.0.2.20060721105813.0971ae90@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I have an application in which I'd like a FreeBSD router to have > multiple, isolated LANS attached to it, each with the same address > space. The FreeBSD box would take the place of multiple NAT routers. > > For example, I might want to have three internal Ethernet > interfaces on the FreeBSD box. Each would be connected to a LAN > whose internal addresses are 192.168.0.0/24. The FreeBSD box would > do NAT for all of them, and of course they could not "see" one another. > > The alternatives, of course, would be to install multiple NAT > routers -- which would be a waste -- or to number the LANs > differently. But the organization for which I'm doing this wants > everything about each LAN to be absolutely standard (printers at > the same static addresses, etc.) so that their IT guys can walk in > and know exactly how everything's numbered. > > Is it possible to do a "hydra headed" router such as this with > FreeBSD? I'm not sure that FreeBSD's natd is equipped to sort > incoming packets for multiple, identically numbered LANs properly, > because it would have to remember interface names as well as > addresses. Also, there would be the question of how one would > connect inward to the machines on the LANs, since "ping > 192.168.0.100" would be ambiguous. (Perhaps one could do it from a > jail. In fact, perhaps the virtual NAT routers could be set up in jails....) The most cumbersome thing is the same net on ifaces. Not sure, but I do if I try: client interfaces: if0, if1, if2 external interface: ef0 default router for all clients: 192.168.0.1 ifconfig if0 inet 10.0.0.1/32 ifconfig if1 inet 10.0.0.2/32 ifconfig if2 inet 10.0.0.3/32 ifconfig lo0 inet 192.168.0.1/32 sysctl net.link.ether.inet.proxyall=1 ifconfig ef0 inet ...1 Say your provider to route ...2, ...3, ...4 to ...1, start 3 natd with ...2, ...3, ...4 IP addresses. On internal -> external direction do usual NAT by own natd for each iface (try Julian Elischer's post but do simplier) and on external -> internal direction mark pakets before natd with, for example 1, 2, 3 mark and after natd forward packets 1 marked to 10.0.0.1, 2 marked to 10.0.0.2 so on. 2 things I am not sure: is natd marks safe? How ipfw forward to own iface works? (it worked for me with route) Sorry my bad English
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1153702684.732309.10933.nullmailer>