From owner-freebsd-questions@FreeBSD.ORG Sat Aug 17 23:29:41 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id DD6D9D9A for ; Sat, 17 Aug 2013 23:29:41 +0000 (UTC) (envelope-from terje@elde.net) Received: from keepquiet.net (keepquiet.net [IPv6:2a01:4f8:130:84c1::deaf:babe]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9D6EE221E for ; Sat, 17 Aug 2013 23:29:41 +0000 (UTC) Received: from [10.130.11.108] (cm-84.210.76.250.getinternet.no [84.210.76.250]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: terje@elde.net) by keepquiet.net (Postfix) with ESMTPSA id 9C53A2E42C; Sun, 18 Aug 2013 01:29:38 +0200 (CEST) References: <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk> <520F8AA8.8030407@fjl.co.uk> In-Reply-To: <520F8AA8.8030407@fjl.co.uk> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net> X-Mailer: iPhone Mail (10B329) From: Terje Elde Subject: Re: VPN where local private address collide Date: Sun, 18 Aug 2013 01:29:36 +0200 To: Frank Leonhardt Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Aug 2013 23:29:41 -0000 On 17. aug. 2013, at 16:37, Frank Leonhardt wrote: > This is just the sort of problem Google will have when it buys Facebook :-= ) Probably not. If Google were to buy Facebook, I'm confident they'd be able t= o renumber their networks if they have to.=20 > Your explanation of the foul-up possible with NAPT is well made, although n= ot really talking about the kind of NAT used on Home/SME routers (one public= address hiding many private one) - I'm thinking of Basic NAT - one-to-one r= eplacement, not one-to-many. (i.e. static address assignment). All the route= r (or firewall) needs to do is swap the IP address in the header as it passe= s through, and swap it back when it returns. The two hosts shouldn't notice a= thing. That's a good theory. In reality, it's much more complicated.=20 What about SSL/TLS for example? How would the router swap the header in an e= ncrypted session? (That's a likely scenario with blth VoIP, teleconferencing and ftp over ssl b= tw).=20 Swapping headers is also a bit outside the scope of NAT, and over to applica= tion level gateway. I've seen probably hundreds of attempts at such solution= s, most didn't work at all, and few - if any - worked well.=20 > FWIW it works pretty well without NAT if you can avoid address conflicts, a= nd in a small installation its possible. But consider this really trivial ex= ample: If you're fine with the way it works without conflicts, why not just move th= ings around? Change statically configured IPs, and narrow the DHCP scopes to= avoid conflict? > The obvious answer is IPv6, of course. I'm surprised no one has mentioned i= t yet. You seemed dead set on not renumbering the networks, and moving to IPv6 woul= d not only be just that, but also be harder than just renumbering IPv4-nets,= so you answered that question for us already.=20 > mpd does handle NAT (Section 4.14 of its manual). It doesn't go in to grea= t detail execept to say it uses ng_nat, which in turn uses libalias (like na= td). Looking at the ng_nat 'C' interface, NGM_NAT_REDIRECT_ADDR sounds like w= hat I'm after but it all looks geared to NAPT (which is, I guess, what most p= eople use NAT for). And I've got this nagging feeling that ipfw is going to b= e involved somewhere, just to make it really tricky. If you do insist on shooting the networkowner(s) in the foot, pf would proba= bly do fine for the NAT.=20 Best of luck on your adventure sir, you'll need it. If not today, then some d= ay ahead. Bring a towel.=20 Terje