Routing to External IPs from Internal IPs
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Dec 23 02:30:11 PST 2003
On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote:
> I would like to be able to set the DNS settings for my internal network to
> 209.20.215.30 and 209.20.215.31. The internal network is addressed as
> 192.168.1/24.
>
> How can I route from the internal addresses, through the internal
> interface of the firewall, to the external interface of the firewall, back
> through the port address translation to my internal nameservers?
You can do "static NAT" -- use the 'redirect_address' option for
natd(8). This will let you map an Internet address on your external
network through to an internal machine: eg.
natd -redirect_address 192.168.1.1 209.20.215.31
This will allow external machines to access a server on your internal
network. Your internal machines should be set up so that they use
just the internal addresses -- you can't route the packets from
internal machines through natd on the external interface as you
describe. It's just the way that natd works, I'm afraid.
> If this question is too arcane, please refer me to the correct
> documentation. I don't even know where to start. Routing has always just
> magically worked on FreeBSD. I would think it would be possible to add
> some sort of manual route to the routing tables, but what do I know.
>
> The idea is to allow roamers to roam and never have to change any of their
> configuration settings, namely their DNS settings.
This does depend somewhat on how you set up the roaming access to your
network. If you create a VPN tunnel into your private network, then
the roaming users will see your internal servers just fine: no
renumbering necessary. However you will have to solve the initial
problem of making the network connections required to set up the VPN.
> Split DNS obviously can handle all other settings such as mail, time, web
> and so forth. Handling the DNS settings themselves, which are by IP
> address, proves more difficult.
Ah -- this is what DHCP is for. You can run DHCP on your internal
network to configure machines there, and also have a default lease
which dhclient(8) will fall back to when it can't find a DHCP server
-- as the man page says:
A mobile host which may sometimes need to access a network on which no
DHCP server exists may be preloaded with a lease for a fixed address on
that network. When all attempts to contact a DHCP server have failed,
dhclient will try to validate the static lease, and if it succeeds,
will use that lease until it is restarted.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031223/87949c24/attachment.bin
More information about the freebsd-questions
mailing list