From owner-freebsd-questions@FreeBSD.ORG Tue Feb 21 15:26:25 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C3DF16A420 for ; Tue, 21 Feb 2006 15:26:25 +0000 (GMT) (envelope-from gregb@scls.lib.wi.us) Received: from mail.scls.lib.wi.us (mail.scls.lib.wi.us [198.150.40.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 465B643D5E for ; Tue, 21 Feb 2006 15:26:19 +0000 (GMT) (envelope-from gregb@scls.lib.wi.us) Received: from [172.26.2.238] ([172.26.2.238]) by mail.scls.lib.wi.us (8.12.9p2/8.12.9) with ESMTP id k1LFQIR4045862; Tue, 21 Feb 2006 09:26:19 -0600 (CST) (envelope-from gregb@scls.lib.wi.us) Message-ID: <43FB311A.2020603@scls.lib.wi.us> Date: Tue, 21 Feb 2006 09:26:18 -0600 From: Greg Barniskis User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Ted Mittelstaedt References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: question on NAT for multiple subnets X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 15:26:25 -0000 Ted Mittelstaedt wrote: > >> -----Original Message----- >> From: Greg Barniskis [mailto:gregb@scls.lib.wi.us] >> Sent: Friday, February 17, 2006 10:14 AM >> To: Ted Mittelstaedt >> Cc: freebsd-questions >> Subject: Re: question on NAT for multiple subnets >> >> >> Ted Mittelstaedt wrote: >>> I've never done it but I think you can run multiple nat instances >>> and multiple divert sockets, you will have to specify them in the >>> config file to natd, though. >> Excellent. That's what I was hoping for. So instead of one "divert >> natd" rule in ipfw, I simply need "divert N", "divert N+1", "divert >> N+2", etc. where N is a port number where I bound my first natd, N+1 >> the next natd instance, etc. I think I can manage that. >> > > I looked at the man page for natd and they specify the divert port > with -port, and alias address with -alias_address > > Your going to have a bit of trial and error to work this config > out but it shouldn't be that bad. I would love to see it posted > here once you get it working. I will share anything I get working, when I do (ipfw, pf or otherwise). Might be a while though. My immediate need was only to answer the question of whether any significant lab time on it was even worthwhile. A yes answer means the topic's tabled for a couple of weeks at least. > > PS: A firewall with a shell that you can actually initiate a telnet > session from knocks a PIX into a cocked hat. And I just love > dealing with a PIX on a network that has multiple gateways on it. > Nothing like the lack of icmp redirects to get you swearing. Wouldn't be asking if the subject hadn't been discussed by staff in terms of "Can't we do this outside the [grumble|mumble|curse] PIX?". Not to knock it too hard; it does what it does pretty well, pretty fast, it's just that the things it doesn't do well are too many. -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348