Network client is the same from server

Brian Candler B.Candler at
Wed Feb 1 05:46:39 PST 2006

On Tue, Jan 31, 2006 at 12:42:36PM -0800, Julian Elischer wrote:
> >And, If I have't not control about the second gateway? Because my client
> >have a notebook, and he can try connect at anyplace, anytime :-(
> >
> >So, I think that is impossible to to... is true?
> > 
> >
> no,
> you should be able to do it all on your own machine I think..
> by NATing on both interfaces, effectively puting your machine in the middle,
> with one natd on each interface.

Some careful thought is needed though. Before:       [nat1]        [nat2]
  ------+---------- GW1 -------------------- GW2 -----+-----------
        |                                             |
        X                                             Y

  ------+---------- GW1 -------------------- GW2 -----+-----------
        |     [nat1]   [nat2]                         |
        X                                             Y

In this example, the sense of 'inbound' and 'outbound' is wrong for each
natd, which you might be able to fix using -reverse on both of them.

  ------+---------- GW1 -------------------- GW2 -----+-----------
        |     [nat2]   [nat1]                         |
        X                                             Y

Here the in/out sense is the same, but now we're doing nat2's processing
before nat1's. Is that a problem? I think it is.

* Packet from to
  - at nat2: destination changed to
  - at nat1: source changed to

Trouble is that at the first step, the destination is now, which
means it will be delivered back to the local LAN instead of out of the
external interface.

So a pair of natd's with -reverse and 254 -redirect_address flags each
*might* be able to fix your problem. If it gets any more complex than this -
let's say you need another natd for traffic destined to the public Internet,
while traffic to is nat'd down a tunnel to the second
network - then it becomes a PITA.

I don't like natd/ipfw interaction, if you hadn't guessed :-)

OTOH, it might not be easy to make work with pf either. You should only need
two 'binat' rules, but I'm not sure how you go about reversing the in/out
sense. There's a separate freebsd-pf mailing list which might be able to



More information about the freebsd-net mailing list