From owner-freebsd-net@FreeBSD.ORG Mon Jul 24 00:55:54 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29A3D16A4DA for ; Mon, 24 Jul 2006 00:55:54 +0000 (UTC) (envelope-from babolo@cicuta.babolo.ru) Received: from ints.mail.pike.ru (ints.mail.pike.ru [85.30.199.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EE6D43D46 for ; Mon, 24 Jul 2006 00:55:52 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 28536 invoked from network); 24 Jul 2006 00:55:50 -0000 Received: from cicuta.babolo.ru (85.30.224.245) by ints.mail.pike.ru with SMTP; 24 Jul 2006 00:55:50 -0000 Received: (nullmailer pid 10934 invoked by uid 136); Mon, 24 Jul 2006 00:58:04 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <7.0.1.0.2.20060721105813.0971ae90@lariat.net> To: Brett Glass Date: Mon, 24 Jul 2006 04:58:04 +0400 (MSD) From: .@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1153702684.732309.10933.nullmailer@cicuta.babolo.ru> Cc: net@freebsd.org Subject: Re: Multiple NAT router X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2006 00:55:54 -0000 > I have an application in which I'd like a FreeBSD router to have > multiple, isolated LANS attached to it, each with the same address > space. The FreeBSD box would take the place of multiple NAT routers. > > For example, I might want to have three internal Ethernet > interfaces on the FreeBSD box. Each would be connected to a LAN > whose internal addresses are 192.168.0.0/24. The FreeBSD box would > do NAT for all of them, and of course they could not "see" one another. > > The alternatives, of course, would be to install multiple NAT > routers -- which would be a waste -- or to number the LANs > differently. But the organization for which I'm doing this wants > everything about each LAN to be absolutely standard (printers at > the same static addresses, etc.) so that their IT guys can walk in > and know exactly how everything's numbered. > > Is it possible to do a "hydra headed" router such as this with > FreeBSD? I'm not sure that FreeBSD's natd is equipped to sort > incoming packets for multiple, identically numbered LANs properly, > because it would have to remember interface names as well as > addresses. Also, there would be the question of how one would > connect inward to the machines on the LANs, since "ping > 192.168.0.100" would be ambiguous. (Perhaps one could do it from a > jail. In fact, perhaps the virtual NAT routers could be set up in jails....) The most cumbersome thing is the same net on ifaces. Not sure, but I do if I try: client interfaces: if0, if1, if2 external interface: ef0 default router for all clients: 192.168.0.1 ifconfig if0 inet 10.0.0.1/32 ifconfig if1 inet 10.0.0.2/32 ifconfig if2 inet 10.0.0.3/32 ifconfig lo0 inet 192.168.0.1/32 sysctl net.link.ether.inet.proxyall=1 ifconfig ef0 inet ...1 Say your provider to route ...2, ...3, ...4 to ...1, start 3 natd with ...2, ...3, ...4 IP addresses. On internal -> external direction do usual NAT by own natd for each iface (try Julian Elischer's post but do simplier) and on external -> internal direction mark pakets before natd with, for example 1, 2, 3 mark and after natd forward packets 1 marked to 10.0.0.1, 2 marked to 10.0.0.2 so on. 2 things I am not sure: is natd marks safe? How ipfw forward to own iface works? (it worked for me with route) Sorry my bad English