Julian's networking challenge 2005

Julian Elischer julian at elischer.org
Tue Jun 28 05:18:21 GMT 2005 

This time with fewer typos..

Julian Elischer wrote:
>
> So for reasons that I won't go into, I find myself renumbering half of a
> company. However I have a particular problem I can't figure out how to fix.
> 
> I have a gateway/firewall machine running 4.x
> 
> It has 3 interfaces
> 
> fxp0 goes to the internal trusted network fxp1 goes to the internet via a T1
> via a cisco box, but is shared with another section of the company. the
> company web service is advertised as coming from an address that is
> advertised as being on this T1. So are other services.
> 
> fxp2 also goes to the intenet via a cisco box however nothing is using it at
> the moment.
> 
> The one shared T1 is being flooded out by users behind this machine much to
> the annoyance of the users on the other part of the company. This is supposed
> to be their T1.
> 
> For reasons that are beyond the scope of this problem, the advertised DNS
> addresses for the services advertised, can not just be switched to be via the
> other t1.
> 
> The network attached to fxp0 needs to be NAT'd to use the Internet as it is
> using illegal numbers.
> 
> The challenge:
> 
> Figure out a way so that all the users on the network behind fxp0 can use the
> internet using the T1 attached to the cisco off fxp1 while all the advertised
> services (about 8 of them, few enough to list by hand in rules etc.) which
> are also behind fxp0 but acccessed by NAT'd addresses from the range on
> fxp1's net are accessed soley via that T1.
> 
> [ internet ]
>  |       |
> T1       T1
>  |       |
> [cisco] [cisco]--------[other part of company]
>  |       |
> [fxp1]   [fxp2]
> [  freebsd 4.x ]
>      [fxp0]
>         |
>         |
> -----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)-----
>                 |              |              |
>             [server 1 ]     [server 2]      [lots of users]
> 
> I can get the 'forward' direction easily.. i.e. incoming packets.
> 
> It's the reverse direction that doesn't work for me. I considered running 2
> NATDs but I need to run ipfw to identify the reverse streams to force back
> via fxp2 and the only way I can do that is by using the 'fwd' command. If I
> do that I can't divert them and if I divert them to natd first, I can't 'fwd'
> them afterwards as the NATing is already done for the other (wrong) 
> interface.
> 
> I almost want to add a route add FROM Server 1 via [fxp2 cisco] which I've
> seen people request but until now I've never understood why..
> 
> 
> for points:
> It may be possible by making the bsd box actually 3 boxes
> joined by a 10.x.x.x interface.  describe how..
> 
> Your friend with less and less hair..
> 
> julian
> 
> 
>

More information about the freebsd-net mailing list