Date: Sun, 27 Jan 2002 00:22:58 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Allen Landsidel <all@biosys.net> Cc: Doug Reynolds <mav@wastegate.net>, "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: multihomed routing woes.. Message-ID: <Pine.BSF.4.21.0201270016200.6340-100000@cody.jharris.com> In-Reply-To: <20020121223922.8AAE04844F@wastegate.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Jan 2002, Doug Reynolds wrote: > On Sun, 20 Jan 2002 21:15:30 -0500, Allen Landsidel wrote: > > >> > >> The real problem here is that you are running publics on your > >> inside. Why are you doing this and not using static nat for this? > > > > Why should I use nat if I'm paying for an IP block? The lan is not an > > intranet, it's a bunch of "real" servers out on the internet. You didn't understand me, sorry if I didn't explain in detail. You still use your Public address space, except you let nat on the firewall dish out address space via -redirect_address directives as explained by Mr. Reynolds below. > > someone will probably tell me that this is way out of line and maybe > twisted, and you'd probably need a killer firewall machine but hear > goes: > > 1) assign all your ip addresses (that you need) of your server bank LAN > to the nic card in your main firewall machine > 2) assign private addresses to everything > 2) run NATD and put redirect_address statements in a configuration > files for each one of your servers > 3) firewall out all the ports you don't want going to which ever > machine. i'd at least leave open a ssh port open on all the servers so > you can change the configuration. > > the only problem i see is that this must take up to much resources, and > defeat the purpose of having individual servers :) > This is not entirely a bad thing to do. I would not bind the addresses to the NIC. Instead I would route the IP block via the upstream router to the firewall. That way no address binding is needed and natd is still happy. Either way is still a legal play. The resouces used would be minimal if the traffic was reasonable. > or, dump all the ips and NATD everything. > > that only plus on having the above config would be you'd have seperate > ip address for each host, whereas you'd have to CNAME everything just > to NATd everything Nick Rogness <nick@rogness.net> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0201270016200.6340-100000>