Network client is the same from server

Julian Elischer julian at elischer.org
Wed Feb 1 12:03:12 PST 2006 

Brian Candler wrote:

>On Tue, Jan 31, 2006 at 12:42:36PM -0800, Julian Elischer wrote:
>  
>
>>>And, If I have't not control about the second gateway? Because my client
>>>have a notebook, and he can try connect at anyplace, anytime :-(
>>>
>>>So, I think that is impossible to to... is true?
>>>
>>>
>>>      
>>>
>>no,
>>you should be able to do it all on your own machine I think..
>>by NATing on both interfaces, effectively puting your machine in the middle,
>>with one natd on each interface.
>>    
>>
>
>Some careful thought is needed though. Before:
>
>   192.168.0.0/24       [nat1]        [nat2]      192.168.0.0/24
>  ------+---------- GW1 -------------------- GW2 -----+-----------
>        |                                             |
>        X                                             Y
>
>After:
>
>   192.168.0.0/24                                 192.168.0.0/24
>  ------+---------- GW1 -------------------- GW2 -----+-----------
>        |     [nat1]   [nat2]                         |
>        X                                             Y
>
>In this example, the sense of 'inbound' and 'outbound' is wrong for each
>natd, which you might be able to fix using -reverse on both of them.
>
>Or:
>
>   192.168.0.0/24                                 192.168.0.0/24
>  ------+---------- GW1 -------------------- GW2 -----+-----------
>        |     [nat2]   [nat1]                         |
>        X                                             Y
>
>Here the in/out sense is the same, but now we're doing nat2's processing
>before nat1's. Is that a problem? I think it is.
>
>* Packet from 192.168.0.1 to 192.168.200.1
>  - at nat2: destination changed to 192.168.0.1
>  - at nat1: source changed to 192.168.100.1
>
>Trouble is that at the first step, the destination is now 192.168.0.1, which
>means it will be delivered back to the local LAN instead of out of the
>external interface.
>
>So a pair of natd's with -reverse and 254 -redirect_address flags each
>*might* be able to fix your problem. If it gets any more complex than this -
>let's say you need another natd for traffic destined to the public Internet,
>while traffic to 192.168.200.0/24 is nat'd down a tunnel to the second
>network - then it becomes a PITA.
>  
>

it does work.. I've done it once..

the secret is to make sure that each natd ONLY gets the packets for the 
interface for which
it is responsible, so the ipfw rules are very important.
you need to make use of ipfw's interface clauses.



>I don't like natd/ipfw interaction, if you hadn't guessed :-)
>
>OTOH, it might not be easy to make work with pf either. You should only need
>two 'binat' rules, but I'm not sure how you go about reversing the in/out
>sense. There's a separate freebsd-pf mailing list which might be able to
>help.
>
>Regards,
>
>Brian.
>_______________________________________________
>freebsd-net at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  
>

More information about the freebsd-net mailing list