Julian's netowrking challenge 2005
Milan Obuch
net at dino.sk
Tue Jun 28 09:39:48 GMT 2005
On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote:
> Hi Julian,
>
> > The challenge:
> >
> > figure out a way so that all teh users on the network behind fxp0
> > hcan use the internet using the T1 attached to the cisco off fxp1
> > while all the advertised services (about 8 of them, few enough to
> > list by hand in rules etc.) which are also behind fxp0 but acccessed by
> > NAT'd addresses from the addresses on fxp1's net are accessed soly via
> > that T1.
> >
> > [...]
> >
> > I can get the 'forward' direction easily.. i.e. incoming packets.
> >
> > It's the reverse direction that doesn't work for me.
> > I considerred running 2 NATDs
> > but I need to run ipfw to identify teh reverse streams to force back via
> > fxp2
> > and the only way I can do that is by using the 'fwd' command.
> > if I do that I can't divert them and if I divert them to natd first, I
> > can't 'fwd' them afterwards as the NATing is already done for the other
> > (wrong) interface.
>
> You definitely want a non-terminal "fwd" command.
> Ari Suutari has just implemented the "setnexthop" action that does the
> trick, I think the patch [1] is waiting to be commited in -CURRENT.
> I don't think this would be really difficult to backport to RELENG_4.
>
I think this is good solution for him. At least once I needed to solve
something similar, no luck then...
> Hope this helps.
> Regards,
>
> [1] http://lists.freebsd.org/pipermail/freebsd-net/2005-June/007710.html
>
> PS: I'm seeing more and more requests about routing limitations in
> FreeBSD everyday, such as lack of multiple routing tables support, lack
> of source routing (as well as higher level protocol based routing).
> Are there actually some projects that are being worked on to overcome
> this ?
I used Marko Zec's virtualization patch for multiple VPN management and
monitoring and it worked great. It does exist for 4-RELEASE, however.
I am not ready to do anything like this yet, but if someone would work on
sothing similar for newer releases, I would be really willing to try it out
and test. I need to solve some multiple VPN problem again and using legacy
release is the only option, but something newer would be really better.
Regards,
Milan
More information about the freebsd-net
mailing list