Date: Tue, 21 Jun 2011 12:34:02 +0200 From: Damien Fleuriot <ml@my.gd> To: freebsd-questions@freebsd.org Subject: Re: Two Networks on one System Message-ID: <4E00739A.1070409@my.gd> In-Reply-To: <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com> References: <201106202107.p5KL7PW0091851@x.it.okstate.edu> <4DFFC61B.2080201@radel.com> <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/21/11 12:30 AM, Gary Gatten wrote: > On 6/20/11 5:07 PM, Martin McCormick wrote: > > I was kinda going this route as well - policy based routing type thing, but, is there an "easier" way? > > 1.) Temporarily enable ipforwarding - not my favorite > 2.) Instead of a second NIC, bind the new IP to the org nic (alias). > > man ifconfig specifically mentions using alias during ip renumbering: > > " alias Establish an additional network address for this interface. This > is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate." > > Once everything is transitioned, you may reconfigure the interface with the "permanent" config. > > G > > Alias lets your interface have multiple IP addresses, however it will not address your routing issue. Find below the configuration we're using on firewalls both in the 195.158.0.0/16 network and 46.182.0.0/16 network. In the case of a simple access rule: # PASS quick SSH from trusted IPs pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from <allowed_ssh> to <myself_wan_195> port 22 pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from <allowed_ssh> to <myself_wan_46> port 22 In the case of a RDR , where we redirect traffic to another host: First we tag the packets in the RDR rule, then we make our access rule only match the tagged packets. # To VPN backoffice on both IP ranges rdr on $ifvlan13 inet proto tcp from any to <myself_wan_195> port 1195 tag rdr_195_1195 -> 10.104.10.244 port 1195 rdr on $ifvlan13 inet proto tcp from any to <myself_wan_46> port 1195 tag rdr_46_1195 -> 10.104.10.244 port 1195 # PASS in openvpn backoffice pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from any to <openvpn> port 1195 tagged rdr_195_1195 keep state label "PASS in openvpn_bo_195" pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from any to <openvpn> port 1195 tagged rdr_46_1195 keep state label "PASS in openvpn_bo_46"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E00739A.1070409>