Julian's netowrking challenge 2005

Julian Elischer julian at elischer.org
Tue Jun 28 05:08:14 GMT 2005 

So for reasons that i won't go into, I fin dmyself renumberring an entire company.
howeve I have a particular problem I can't figure out how to fix.

I have a gateway/firewall machine running 4.x

it has 3 interfaces

fxp0 goes to the internal trusted network
fxp1 goes to the internet via a T1 via a cisco box,
but is shared with another section of the company.
the compant web service is advertised as coming from an address
that is on an address advertised as being on this T1. So are
other services.

fxp2 also goes to the intenet via a cisco box however nothing is using
it at the moment.

The one shared T1 is being flooded out by users behind this machine
much to the annoyance of the users on the other part of the company.
This is supposed to be their T1.

For reasons that are beyond the scope of this problem, the advertised
DNS addresses for teh services advertised, can not just be switched
to be via the other t1.

The network attached to fxp0 needs to be NAT'd to use the Internet
as it is using illegal numbers.

The challenge:

figure out a way so that all teh users on the network behind fxp0
hcan use the internet using the T1 attached to the cisco off fxp1
while all the advertised services (about 8 of them, few enough to
list by hand in rules etc.) which are also behind fxp0 but acccessed by NAT'd 
addresses from the addresses on fxp1's net are accessed soly via that T1.


[ internet ]
  |       |
T1       T1
  |       |
[cisco] [cisco]--------[other part of company]
  |       |
[fxp1]   [fxp2]
[  freebsd 4.x ]
      [fxp0]
         |
         |
-----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)-----
                 |              |              |
             [server 1 ]     [server 2]      [lots of users]

I can get the 'forward' direction easily.. i.e. incoming packets.

It's the reverse direction that doesn't work for me.
I considerred running 2 NATDs
but I need to run ipfw to identify teh reverse streams to force back via fxp2
and the only way I can do that is by using the 'fwd' command.
if I do that I can't divert them and if I divert them to natd first, I can't
'fwd' them afterwards as the NATing is already done for the other (wrong)
interface.

I almost want to add a
route add FROM Server 1 via [fxp2 cisco] which I've seen people request
but until now I've never understood why..


for points:
it may be possible by making the bsd box actually 3 boxes
joined by a 10.x.x.x interface.  dscribe how..

Your friend with less and less hair..

julian


I sort of need a routing table based

More information about the freebsd-net mailing list