Date: Mon, 21 Jan 2002 17:41:11 -0500 From: "Doug Reynolds" <mav@wastegate.net> To: "Allen Landsidel" <all@biosys.net>, "Nick Rogness" <nick@rogness.net> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: multihomed routing woes.. Message-ID: <20020121223922.8AAE04844F@wastegate.net> In-Reply-To: <5.1.0.14.0.20020120205959.00a99618@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Jan 2002 21:15:30 -0500, Allen Landsidel wrote: >> > interface, and an address in the 10/8 block on the exterior. The >> > router has an address on the 10/8 block on the interior, the ISP >> > assigned address on the WAN interface, and a static route to the >> > firewall 10/8 for my IP block. >> > >> > The problem is simple : All outgoing traffic that *originates* on the >> > firewall attempts to use the 10/8 address. I'm looking for some easy >> > way to force it to use it's internal address for traffic destined to >> > go out the exterior interface, but so far to no avail. >> > >> >> The real problem here is that you are running publics on your >> inside. Why are you doing this and not using static nat for this? > >Why should I use nat if I'm paying for an IP block? The lan is not an >intranet, it's a bunch of "real" servers out on the internet. someone will probably tell me that this is way out of line and maybe twisted, and you'd probably need a killer firewall machine but hear goes: 1) assign all your ip addresses (that you need) of your server bank LAN to the nic card in your main firewall machine 2) assign private addresses to everything 2) run NATD and put redirect_address statements in a configuration files for each one of your servers 3) firewall out all the ports you don't want going to which ever machine. i'd at least leave open a ssh port open on all the servers so you can change the configuration. the only problem i see is that this must take up to much resources, and defeat the purpose of having individual servers :) or, dump all the ips and NATD everything. that only plus on having the above config would be you'd have seperate ip address for each host, whereas you'd have to CNAME everything just to NATd everything --- doug reynolds | the maverick | mav@wastegate.net PGP Public Key Fingerprint: 6E7B 9993 B503 6D45 E33A 2019 26E5 C1DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020121223922.8AAE04844F>