From owner-freebsd-net@FreeBSD.ORG Tue Jun 28 18:31:57 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10D4416A41C for ; Tue, 28 Jun 2005 18:31:57 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0527543D1D for ; Tue, 28 Jun 2005 18:31:54 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 75217 invoked from network); 28 Jun 2005 18:31:53 -0000 Received: from cicuta.babolo.ru (194.135.49.133) by ints.mail.pike.ru with SMTP; 28 Jun 2005 18:31:53 -0000 Received: (nullmailer pid 21182 invoked by uid 136); Tue, 28 Jun 2005 18:33:58 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20050628074640.GY1283@obiwan.tataz.chchile.org> To: Jeremie Le Hen Date: Tue, 28 Jun 2005 22:33:58 +0400 (MSD) From: .@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1119983638.984940.21181.nullmailer@cicuta.babolo.ru> Cc: Julian Elischer , net@freebsd.org Subject: Re: Julian's netowrking challenge 2005 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 18:31:57 -0000 > Hi Julian, > > > The challenge: > > > > figure out a way so that all teh users on the network behind fxp0 > > hcan use the internet using the T1 attached to the cisco off fxp1 > > while all the advertised services (about 8 of them, few enough to > > list by hand in rules etc.) which are also behind fxp0 but acccessed by > > NAT'd addresses from the addresses on fxp1's net are accessed soly via that > > T1. > > > > [...] > > > > I can get the 'forward' direction easily.. i.e. incoming packets. > > > > It's the reverse direction that doesn't work for me. > > I considerred running 2 NATDs > > but I need to run ipfw to identify teh reverse streams to force back via > > fxp2 > > and the only way I can do that is by using the 'fwd' command. > > if I do that I can't divert them and if I divert them to natd first, I can't > > 'fwd' them afterwards as the NATing is already done for the other (wrong) > > interface. > > You definitely want a non-terminal "fwd" command. > Ari Suutari has just implemented the "setnexthop" action that does the > trick, ... or non-terminal "divert" command. net.inet.ip.fw.one_pass=1 natd -i PORTI1 -o PORTO1 -a NAT1ADDR natd -i PORTI2 -o PORTO2 -a NAT2ADDR divert PORTO1 ip from server to any out fxp1 divert PORTO1 ip from server2 to any out fxp1 ... fwd ... ip from NAT1ADDR to any out fxp1 divert PORTO2 ip from 192.168... to any out fxp1