VPN where local private address collide

Terje Elde terje at elde.net
Sat Aug 17 23:29:41 UTC 2013

On 17. aug. 2013, at 16:37, Frank Leonhardt <freebsd-doc at fjl.co.uk> wrote:
> This is just the sort of problem Google will have when it buys Facebook :-)

Probably not. If Google were to buy Facebook, I'm confident they'd be able to renumber their networks if they have to. 

> Your explanation of the foul-up possible with NAPT is well made, although not really talking about the kind of NAT used on Home/SME routers (one public address hiding many private one) - I'm thinking of Basic NAT - one-to-one replacement, not one-to-many. (i.e. static address assignment). All the router (or firewall) needs to do is swap the IP address in the header as it passes through, and swap it back when it returns. The two hosts shouldn't notice a thing.

That's a good theory. In reality, it's much more complicated. 

What about SSL/TLS for example?  How would the router swap the header in an encrypted session?

(That's a likely scenario with blth VoIP, teleconferencing and ftp over ssl btw). 

Swapping headers is also a bit outside the scope of NAT, and over to application level gateway. I've seen probably hundreds of attempts at such solutions, most didn't work at all, and few - if any - worked well. 

> FWIW it works pretty well without NAT if you can avoid address conflicts, and in a small installation its possible. But consider this really trivial example:

If you're fine with the way it works without conflicts, why not just move things around? Change statically configured IPs, and narrow the DHCP scopes to avoid conflict?

> The obvious answer is IPv6, of course. I'm surprised no one has mentioned it yet.

You seemed dead set on not renumbering the networks, and moving to IPv6 would not only be just that, but also be harder than just renumbering IPv4-nets, so you answered that question for us already. 

> mpd does handle NAT (Section 4.14 of its manual). It doesn't go in to great detail execept to say it uses ng_nat, which in turn uses libalias (like natd). Looking at the ng_nat 'C' interface, NGM_NAT_REDIRECT_ADDR sounds like what I'm after but it all looks geared to NAPT (which is, I guess, what most people use NAT for). And I've got this nagging feeling that ipfw is going to be involved somewhere, just to make it really tricky.

If you do insist on shooting the networkowner(s) in the foot, pf would probably do fine for the NAT. 

Best of luck on your adventure sir, you'll need it. If not today, then some day ahead. Bring a towel. 


More information about the freebsd-questions mailing list