From owner-freebsd-questions Sun Dec 20 14:47:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01303 for freebsd-questions-outgoing; Sun, 20 Dec 1998 14:47:16 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01295 for ; Sun, 20 Dec 1998 14:47:15 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from crocus (c3-1d196.neo.rr.com [24.93.233.196]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id RAA22026 for ; Sun, 20 Dec 1998 17:46:57 -0500 (EST) Message-ID: <006201be2c73$2887c440$848266ce@crocus.ezo.net> From: "Jim Flowers" To: Subject: SKIP and NAT in parallel with choice Date: Sun, 20 Dec 1998 18:47:51 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005F_01BE2C49.3F5607B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_005F_01BE2C49.3F5607B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable SKIP and NAT in series on the same host (as a tunnel end-point for = network 1) causes problems for my network as I cannot easily route the returning H2->N1 packets to S2 for SKIP processing and the encapsulated S2->S1 = packets to the Internet to make their way back to S1. The S1 and N1 interface address is the same leading to routing loops on network 2. The flexible nature of ipfw rules allows the parallel use of both SKIP and NAT on a single interface and a simple method for switching between them. Hosts on network 1 can appear as local to network 2 using a SKIP tunnel from network 1 to network 2 or can access the Internet, = masquerading as the N1 host. If network 1 is a discontinuous subnet of network 2 = (seen from the Internet as a part of network 2) its hosts can also access the Internet through the tunnel and back out to the Internet through R2. = Both network 1 and 2 hosts could use RFC-1918 addresses with a similar = NAT/SKIP controller for the network 2 connecttion to the Internet. Decoupling SKIP and NAT is accomplished with rules preceding the divert instruction that tell ipfw what you want to do. I use: allow skip from any to any in allow skip from any to any out allow udp from any to any skip_cdp allow udp from any skip_cdp to any divert natd ip from any to any via ed0 This allows looking at packet counts to see what's happening. Interestingly, although everything works as it should, the skip out = counter does not increment so SKIP must inject oubound packets below the ipfw counter routine. /etc/protocols contains: skip 57 SKIP And /etc/services contains: natd 8668/divert skip_cdp 1640/udp These rules allow skip processing of packets before the divert rule is reached. By default, NAT will be in operation for all hosts. Switching to SKIP = is only a matter of introducing rules for hosts and networks PRIOR to the NAT = divert rule. As an example, if you want a host to begin processing packets = from H1=20 by SKIP rather than NAT you would enter something like: allow ip from a.b.c.H1 to any or, for a network allow ip from a.b.c.0/24 to any This arrangement has been tested with FreeBSD 2.2.7, the included = natd-1.11 and the skip-1.0 port all installed without modification and configured = as recommended. Proportional version ----------------------------- [H1]--+--[--+--N1--+--]---[R1]---[Internet]---[R2]--+--[H2] | +--S1--+ = +--[S2] | = | network 1 = network 2 Monospaced version ----------------------------- [H1]-+-[-+-N1-+-]--[R1]--[Internet]--[R2]-+-[H2] | +-S1-+ +-[S2] (single homed) | | network 1 network 2 Jim Flowers ------=_NextPart_000_005F_01BE2C49.3F5607B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
SKIP and NAT in series on the same host (as a tunnel end-point for=20 network
1) causes problems for my network as I cannot easily route = the=20 returning
H2->N1 packets to S2 for SKIP processing and the = encapsulated=20 S2->S1 packets
to the Internet to make their way back to S1.  = The S1=20 and N1 interface
address is the same leading to routing loops on = network=20 2.

The flexible nature of ipfw rules allows the parallel use of = both=20 SKIP
and NAT on a single interface and a simple method for switching=20 between
them.  Hosts on network 1 can appear as local to network = 2 using=20 a SKIP
tunnel from network 1 to network 2 or can access the Internet, = masquerading
as the N1 host.  If network 1 is a discontinuous = subnet of=20 network 2 (seen
from the Internet as a part of network 2) its hosts = can also=20 access the
Internet through the tunnel and back out to the Internet = through=20 R2.  Both
network 1 and 2 hosts could use RFC-1918 addresses = with a=20 similar NAT/SKIP
controller for the network 2 connecttion to the=20 Internet.

Decoupling SKIP and NAT is accomplished with rules = preceding=20 the divert
instruction that tell ipfw what you want to do.  I=20 use:

allow skip from any to any in
allow skip from any to any=20 out
allow udp from any to any skip_cdp
allow udp from any skip_cdp = to=20 any
divert natd ip from any to any via ed0

This allows looking = at=20 packet counts to see what's happening.
Interestingly, although = everything=20 works as it should, the skip out counter
does not increment so SKIP = must=20 inject oubound packets below the ipfw
counter = routine.

/etc/protocols=20 contains:

skip    57    = SKIP

And=20 /etc/services=20 contains:

natd        &nbs= p;       =20 8668/divert
skip_cdp       =20 1640/udp

These rules allow skip processing of packets before the = divert=20 rule is
reached.

By default, NAT will be in operation for all=20 hosts.  Switching to SKIP is only a
matter of introducing rules for hosts and networks PRIOR to the NAT = divert
rule.  As an example, if you want a host to begin processing = packets=20 from H1
by SKIP rather than NAT you would enter something=20 like:

    allow ip from a.b.c.H1 to any

or, = for a=20 network

    allow ip from a.b.c.0/24 to = any

This=20 arrangement has been tested with FreeBSD 2.2.7, the included = natd-1.11
and=20 the skip-1.0 port all installed without modification and configured=20 as
recommended.

Proportional=20 version
-----------------------------

   =20 [H1]--+--[--+--N1--+--]---[R1]---[Internet]---[R2]--+--[H2]
 &nbs= p;           =20 |      =20 +--S1--+           = ;            =             &= nbsp;         =20 +--[S2]
           &n= bsp; =20 |            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;      =20 |
         network=20 1            =             &= nbsp;           &n= bsp;           &nb= sp;=20 network 2

Monospaced=20 version
-----------------------------


[H1]-+-[-+-N1-+-]--[R= 1]--[Internet]--[R2]-+-[H2]
    =20 |  =20 +-S1-+           &= nbsp;           &n= bsp;  =20 +-[S2] (single homed)
    =20 |            =             &= nbsp;          =20 |
  network=20 1            =             &= nbsp;  =20 network 2
Jim Flowers <jflowers@ezo.net>
------=_NextPart_000_005F_01BE2C49.3F5607B0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message