Julian's netowrking challenge 2005

Max Laier max at love2party.net
Tue Jun 28 09:47:21 GMT 2005 

On Tuesday 28 June 2005 11:39, Milan Obuch wrote:
> On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote:
> > Hi Julian,
> >
> > > The challenge:
> > >
> > > figure out a way so that all teh users on the network behind fxp0
> > > hcan use the internet using the T1 attached to the cisco off fxp1
> > > while all the advertised services (about 8 of them, few enough to
> > > list by hand in rules etc.) which are also behind fxp0 but acccessed by
> > > NAT'd addresses from the addresses on fxp1's net are accessed soly via
> > > that T1.
> > >
> > > [...]
> > >
> > > I can get the 'forward' direction easily.. i.e. incoming packets.
> > >
> > > It's the reverse direction that doesn't work for me.
> > > I considerred running 2 NATDs
> > > but I need to run ipfw to identify teh reverse streams to force back
> > > via fxp2
> > > and the only way I can do that is by using the 'fwd' command.
> > > if I do that I can't divert them and if I divert them to natd first, I
> > > can't 'fwd' them afterwards as the NATing is already done for the other
> > > (wrong) interface.
> >
> > You definitely want a non-terminal "fwd" command.
> > Ari Suutari has just implemented the "setnexthop" action that does the
> > trick, I think the patch [1] is waiting to be commited in -CURRENT.
> > I don't think this would be really difficult to backport to RELENG_4.
>
> I think this is good solution for him. At least once I needed to solve
> something similar, no luck then...

Wouldn't a more general approach be better.  e.g. a way to "tag" a packet 
before it is sent to divert and a matching tag-lookup that can do further 
action.  This would make it very easy to do all kinds of stuff that needs to 
know the original address instead of the translated one while avoiding code 
duplication.

pf does something along these lines in case you are looking for references.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20050628/1b3d2f2a/attachment.bin

More information about the freebsd-net mailing list