Date: Sun, 20 Dec 1998 18:47:51 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: <freebsd-questions@FreeBSD.ORG> Subject: SKIP and NAT in parallel with choice Message-ID: <006201be2c73$2887c440$848266ce@crocus.ezo.net>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_005F_01BE2C49.3F5607B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
SKIP and NAT in series on the same host (as a tunnel end-point for =
network
1) causes problems for my network as I cannot easily route the returning
H2->N1 packets to S2 for SKIP processing and the encapsulated S2->S1 =
packets
to the Internet to make their way back to S1. The S1 and N1 interface
address is the same leading to routing loops on network 2.
The flexible nature of ipfw rules allows the parallel use of both SKIP
and NAT on a single interface and a simple method for switching between
them. Hosts on network 1 can appear as local to network 2 using a SKIP
tunnel from network 1 to network 2 or can access the Internet, =
masquerading
as the N1 host. If network 1 is a discontinuous subnet of network 2 =
(seen
from the Internet as a part of network 2) its hosts can also access the
Internet through the tunnel and back out to the Internet through R2. =
Both
network 1 and 2 hosts could use RFC-1918 addresses with a similar =
NAT/SKIP
controller for the network 2 connecttion to the Internet.
Decoupling SKIP and NAT is accomplished with rules preceding the divert
instruction that tell ipfw what you want to do. I use:
allow skip from any to any in
allow skip from any to any out
allow udp from any to any skip_cdp
allow udp from any skip_cdp to any
divert natd ip from any to any via ed0
This allows looking at packet counts to see what's happening.
Interestingly, although everything works as it should, the skip out =
counter
does not increment so SKIP must inject oubound packets below the ipfw
counter routine.
/etc/protocols contains:
skip 57 SKIP
And /etc/services contains:
natd 8668/divert
skip_cdp 1640/udp
These rules allow skip processing of packets before the divert rule is
reached.
By default, NAT will be in operation for all hosts. Switching to SKIP =
is only a
matter of introducing rules for hosts and networks PRIOR to the NAT =
divert
rule. As an example, if you want a host to begin processing packets =
from H1=20
by SKIP rather than NAT you would enter something like:
allow ip from a.b.c.H1 to any
or, for a network
allow ip from a.b.c.0/24 to any
This arrangement has been tested with FreeBSD 2.2.7, the included =
natd-1.11
and the skip-1.0 port all installed without modification and configured =
as
recommended.
Proportional version
-----------------------------
[H1]--+--[--+--N1--+--]---[R1]---[Internet]---[R2]--+--[H2]
| +--S1--+ =
+--[S2]
| =
|
network 1 =
network 2
Monospaced version
-----------------------------
[H1]-+-[-+-N1-+-]--[R1]--[Internet]--[R2]-+-[H2]
| +-S1-+ +-[S2] (single homed)
| |
network 1 network 2
Jim Flowers <jflowers@ezo.net>
------=_NextPart_000_005F_01BE2C49.3F5607B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>SKIP and NAT in series on the same host (as a tunnel end-point for=20
network<BR>1) causes problems for my network as I cannot easily route =
the=20
returning<BR>H2->N1 packets to S2 for SKIP processing and the =
encapsulated=20
S2->S1 packets<BR>to the Internet to make their way back to S1. =
The S1=20
and N1 interface<BR>address is the same leading to routing loops on =
network=20
2.<BR><BR>The flexible nature of ipfw rules allows the parallel use of =
both=20
SKIP<BR>and NAT on a single interface and a simple method for switching=20
between<BR>them. Hosts on network 1 can appear as local to network =
2 using=20
a SKIP<BR>tunnel from network 1 to network 2 or can access the Internet, =
masquerading<BR>as the N1 host. If network 1 is a discontinuous =
subnet of=20
network 2 (seen<BR>from the Internet as a part of network 2) its hosts =
can also=20
access the<BR>Internet through the tunnel and back out to the Internet =
through=20
R2. Both<BR>network 1 and 2 hosts could use RFC-1918 addresses =
with a=20
similar NAT/SKIP<BR>controller for the network 2 connecttion to the=20
Internet.<BR><BR>Decoupling SKIP and NAT is accomplished with rules =
preceding=20
the divert<BR>instruction that tell ipfw what you want to do. I=20
use:<BR><BR>allow skip from any to any in<BR>allow skip from any to any=20
out<BR>allow udp from any to any skip_cdp<BR>allow udp from any skip_cdp =
to=20
any<BR>divert natd ip from any to any via ed0<BR><BR>This allows looking =
at=20
packet counts to see what's happening.<BR>Interestingly, although =
everything=20
works as it should, the skip out counter<BR>does not increment so SKIP =
must=20
inject oubound packets below the ipfw<BR>counter =
routine.<BR><BR>/etc/protocols=20
contains:<BR><BR>skip 57 =
SKIP<BR><BR>And=20
/etc/services=20
contains:<BR><BR>natd &nbs=
p; =20
8668/divert<BR>skip_cdp =20
1640/udp<BR><BR>These rules allow skip processing of packets before the =
divert=20
rule is<BR>reached.<BR><BR>By default, NAT will be in operation for all=20
hosts. Switching to SKIP is only a</DIV>
<DIV>matter of introducing rules for hosts and networks PRIOR to the NAT =
divert</DIV>
<DIV>rule. As an example, if you want a host to begin processing =
packets=20
from H1 </DIV>
<DIV>by SKIP rather than NAT you would enter something=20
like:<BR><BR> allow ip from a.b.c.H1 to any<BR><BR>or, =
for a=20
network<BR><BR> allow ip from a.b.c.0/24 to =
any<BR><BR>This=20
arrangement has been tested with FreeBSD 2.2.7, the included =
natd-1.11<BR>and=20
the skip-1.0 port all installed without modification and configured=20
as<BR>recommended.<BR><BR>Proportional=20
version<BR>-----------------------------<BR><BR> =20
[H1]--+--[--+--N1--+--]---[R1]---[Internet]---[R2]--+--[H2]<BR> &nbs=
p; =20
| =20
+--S1--+  =
; =
&=
nbsp; =20
+--[S2]</DIV>
<DIV> &n=
bsp; =20
| =
&=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p; =20
|<BR> network=20
1 =
&=
nbsp; &n=
bsp; &nb=
sp;=20
network 2<BR><BR>Monospaced=20
version<BR>-----------------------------<BR><BR><BR>[H1]-+-[-+-N1-+-]--[R=
1]--[Internet]--[R2]-+-[H2]<BR> =20
| =20
+-S1-+ &=
nbsp; &n=
bsp; =20
+-[S2] (single homed)<BR> =20
| =
&=
nbsp; =20
|<BR> network=20
1 =
&=
nbsp; =20
network 2</DIV>
<DIV><FONT color=3D#000000 size=3D2>Jim Flowers <<A=20
href=3D"mailto:jflowers@ezo.net">jflowers@ezo.net</A>></FONT></DIV></B=
ODY></HTML>
------=_NextPart_000_005F_01BE2C49.3F5607B0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006201be2c73$2887c440$848266ce>