Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Jan 2002 17:41:11 -0500
From:      "Doug Reynolds" <mav@wastegate.net>
To:        "Allen Landsidel" <all@biosys.net>, "Nick Rogness" <nick@rogness.net>
Cc:        "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: multihomed routing woes..
Message-ID:  <20020121223922.8AAE04844F@wastegate.net>
In-Reply-To: <5.1.0.14.0.20020120205959.00a99618@rfnj.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Jan 2002 21:15:30 -0500, Allen Landsidel wrote:

>> > interface, and an address in the 10/8 block on the exterior. The
>> > router has an address on the 10/8 block on the interior, the ISP
>> > assigned address on the WAN interface, and a static route to the
>> > firewall 10/8 for my IP block.
>> >
>> > The problem is simple : All outgoing traffic that *originates* on the
>> > firewall attempts to use the 10/8 address.  I'm looking for some easy
>> > way to force it to use it's internal address for traffic destined to
>> > go out the exterior interface, but so far to no avail.
>> >
>>
>>         The real problem here is that you are running publics on your
>>         inside.  Why are you doing this and not using static nat for this?
>
>Why should I use nat if I'm paying for an IP block?  The lan is not an 
>intranet, it's a bunch of "real" servers out on the internet.

someone will probably tell me that this is way out of line and maybe
twisted, and you'd probably need a killer firewall machine but hear
goes:

1) assign all your ip addresses (that you need) of your server bank LAN
to the nic card in your main firewall machine
2) assign private addresses to everything
2) run NATD and put redirect_address statements in a configuration
files for each one of your servers
3) firewall out all the ports you don't want going to which ever
machine. i'd at least leave open a ssh port open on all the servers so
you can change the configuration.

the only problem i see is that this must take up to much resources, and
defeat the purpose of having individual servers :)

or, dump all the ips and NATD everything.

that only plus on having the above config would be you'd have seperate
ip address for each host, whereas you'd have to CNAME everything just
to NATd everything

---
doug reynolds | the maverick | mav@wastegate.net

PGP Public Key Fingerprint: 6E7B 9993 B503 6D45  E33A 2019 26E5 C1DB



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020121223922.8AAE04844F>