From owner-freebsd-net@FreeBSD.ORG Sat Jun 7 09:35:04 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B621F385 for ; Sat, 7 Jun 2014 09:35:04 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5FCA72E00 for ; Sat, 7 Jun 2014 09:35:04 +0000 (UTC) Received: from seedling.local (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s579Ynr6055675 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sat, 7 Jun 2014 10:34:56 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: lucid-nonsense.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s579Ynr6055675 Authentication-Results: smtp.infracaninophile.co.uk/s579Ynr6055675; dkim=none reason="no signature"; dkim-adsp=none X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host seedling.black-earth.co.uk [81.2.117.99] claimed to be seedling.local Message-ID: <5392DCAF.8090302@FreeBSD.org> Date: Sat, 07 Jun 2014 10:34:39 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: Can you create a FreeBSD gateway, with private IPs, without NAT/divert ? References: <1402122166.37214.YahooMailNeo@web162101.mail.bf1.yahoo.com> In-Reply-To: <1402122166.37214.YahooMailNeo@web162101.mail.bf1.yahoo.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ShQTA79DVmQTirs9tTCF4u9HJPFGUB5Cu" X-Virus-Scanned: clamav-milter 0.98.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2014 09:35:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ShQTA79DVmQTirs9tTCF4u9HJPFGUB5Cu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/06/2014 07:22, None Secure via freebsd-net wrote: > BUT, what if my ISP is giving me a private IP, and my internal > network is also private IPs ? External gateway address is > 192.168.1.2 and internal gateway address is 10.10.10.1 ... the ONLY > way I could make this work is with natd and ipfw divert rules. >=20 > My question is: is it possible to have a network of non-routable > IPs, and a gateway with non-routable Ips on internal and external > interfaces, and NOT use natd/divert ? Can it be done with no ipfw > rules at all, just like I used to ? Sure, it's possible, in theory. It just depends on whether your ISP's kit will NAT for your 10.10.10.1 range as well as the 192.168.1.2 address they've assigned to you. Which I doubt -- the ISP kit is probably only going to do the minimum necessary to provide service so that it can support the maximum possible number of customers. However, running your own NAT gateway between 192.168.1.2 and 10.10.10.1 shouldn't be a problem. You can NAT multiple times between where you are and the Internet usually with no worse consequence than a bit of extra latency on your traffic. Cheers, Matthew PS. Roll on IPv6. None of this Heath-Robinsonesq NAT on top of NAT is necessary in an IPv6 world. --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --ShQTA79DVmQTirs9tTCF4u9HJPFGUB5Cu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTkty4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATvPYP/1DbnGNbodSyDzg3DJxv+Qtp Ldry3WvH4n9GEn7hiRqibvXxd8ro6JMc5Bo2Y4tH1CZqmMWrGlZkVRb+/7KaX+OY ZpmfbDmAnnDLcnWGp6ulaPRv8Hat5zDzUy1uGr27A/qg2obRIWGUs1COzxkd+cMl e3h24FR4muy80QqxoViVAufUIjzbDoWOplAPMlV1LBvPl1X9l3B+mgiQrDlwTjWI 6CHpdKRekMRP9Tzs9N6kgWEkvmiaWWrF+Us/jfNaykji4Lm68318vsSp5RQ3fcuT hRYvnLVrXT3U/ozgFZa1xixs5oFC3Ng4YaYLnmpIgfcg7zEAfkj+atoIrvKtKSvz hJQK4pBVr7b+tO8NT6W6zPWnKEfe7zo1No/gSIEoZ71wf8UWiWXHXNhG1c3J8vT7 WGFvSpk5dGoFv3dS+KvPJyJNtvjaNquPM221fSuF5VB/OaZYi2AQzznGG7EuQCyW jIBznbIRNgJmC/sFW+3feyrnN3r5AQ/AEDGWnHszhRolo9BQ8mWkqY27K6BjP0rr l/cawuXoqcE2520xQBVEkuQ8x+5oU+fKNMMDqzHMTEhW0BTUuSBE15MdOxIFrtBx M6JP3uPO9kmOUk76gf9fC3LUBT+oMNL2ZD4cy+AAOpzb9/syN+MQEFdcFiMKSw1b 1mPig8BKmbFMKRZ8Eea+ =Zk6j -----END PGP SIGNATURE----- --ShQTA79DVmQTirs9tTCF4u9HJPFGUB5Cu--