Changing the NAT IP on demand?
Tillman Hodgson
tillman at seekingfire.com
Mon Oct 6 08:04:20 PDT 2003
On Mon, Oct 06, 2003 at 09:43:46AM -0400, Leo Bicknell wrote:
> In a message written on Sun, Oct 05, 2003 at 08:11:05PM -0600, Nick Rogness wrote:
> > In addition to keeping your NAT translations (as suggested by
> > Wes), you need to also keep routes for those entries as well, so
> > that preserved traffic remains to route out the right ISP even if
> > a switch occurs.
>
> You're right, however I would go with a different mechanism, but one
> I've also never tried to do. What you want is routing based on the
> source address of the packet, not the destination as per usual. You
> want to be able to say "source a.a.a.a goes out link A". I've never
> tried to do it on FreeBSD (it's easy on say Cisco's, with a bit of a
> performance hit on some platforms).
This can be done with ipfw's 'fwd' or ipf's 'pass out quick on <int>'.
It's not a clean solution, though - looking at the routing table won't
tell you that yoru firewall is routing some/all of the packets.
Another interesting approach is splitting NAT traffic across two lines
by destination. I'm using ipf rather than ipfw to do this, but the
principle is the same. A simplified snippet from my ipnat.rules:
# Map all regular traffic out the cablemodem
map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:50000
# ... mirrors.accesscomm.ca goes out the ADSL line
map rl2 from 192.168.23.0/24 to 204.83.142.81/32 -> rl2/32
Now that just changes which IP the packet is NAT'ed onto. It'll still go
out the default gateway. Sooo .... a snippet from my rc.conf:
static_routes="foo bar baz mirrors"
route_mirrors="204.83.142.81/32 64.201.208.254"
There, now when I NAT onto the secondary Internet connection IP it'll be
routed to the correct gateway.
I haven't looked into using 'fwd' to accomplish the routng based on
source for this situation yet (though I do use it to route some
interesting OpenVPN tunnels). I suspect that I could reduce the routing
from one route per destination down to a single 'fwd' statement,
depending on whether or not NAT happens before or after ipfw 'fwd'.
I'd also love to NAT by protocol (as you mention in the rest of your
email). If you come up with a configuration for that, please share it
with the list :-)
-T
--
>I've gone through over-stressed to physical exhaustion... what's next?
Tuesday
- A.S.R. quote (Simon Burr & Kyle Hearn)
More information about the freebsd-hackers
mailing list