From owner-freebsd-net@FreeBSD.ORG Tue Jun 28 09:47:21 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E05D16A41C for ; Tue, 28 Jun 2005 09:47:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2C5743D1F for ; Tue, 28 Jun 2005 09:47:20 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E06D.dip.t-dialin.net [84.163.224.109] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1DnCgU3OKx-0003JY; Tue, 28 Jun 2005 11:47:14 +0200 From: Max Laier To: freebsd-net@freebsd.org Date: Tue, 28 Jun 2005 11:47:05 +0200 User-Agent: KMail/1.8 References: <42C0DB3B.6000606@elischer.org> <20050628074640.GY1283@obiwan.tataz.chchile.org> <200506281139.17582.net@dino.sk> In-Reply-To: <200506281139.17582.net@dino.sk> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1839717.OuTRco7faI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506281147.13299.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Milan Obuch , Julian Elischer Subject: Re: Julian's netowrking challenge 2005 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2005 09:47:21 -0000 --nextPart1839717.OuTRco7faI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 28 June 2005 11:39, Milan Obuch wrote: > On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote: > > Hi Julian, > > > > > The challenge: > > > > > > figure out a way so that all teh users on the network behind fxp0 > > > hcan use the internet using the T1 attached to the cisco off fxp1 > > > while all the advertised services (about 8 of them, few enough to > > > list by hand in rules etc.) which are also behind fxp0 but acccessed = by > > > NAT'd addresses from the addresses on fxp1's net are accessed soly via > > > that T1. > > > > > > [...] > > > > > > I can get the 'forward' direction easily.. i.e. incoming packets. > > > > > > It's the reverse direction that doesn't work for me. > > > I considerred running 2 NATDs > > > but I need to run ipfw to identify teh reverse streams to force back > > > via fxp2 > > > and the only way I can do that is by using the 'fwd' command. > > > if I do that I can't divert them and if I divert them to natd first, I > > > can't 'fwd' them afterwards as the NATing is already done for the oth= er > > > (wrong) interface. > > > > You definitely want a non-terminal "fwd" command. > > Ari Suutari has just implemented the "setnexthop" action that does the > > trick, I think the patch [1] is waiting to be commited in -CURRENT. > > I don't think this would be really difficult to backport to RELENG_4. > > I think this is good solution for him. At least once I needed to solve > something similar, no luck then... Wouldn't a more general approach be better. e.g. a way to "tag" a packet=20 before it is sent to divert and a matching tag-lookup that can do further=20 action. This would make it very easy to do all kinds of stuff that needs t= o=20 know the original address instead of the translated one while avoiding code= =20 duplication. pf does something along these lines in case you are looking for references. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1839717.OuTRco7faI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCwRyhXyyEoT62BG0RAsMRAJ4n2phcR4NCJ/S0fPCpRUNRK6y7XQCfRXFJ kCT1cicvxksdv+CZawEYLyM= =t+sQ -----END PGP SIGNATURE----- --nextPart1839717.OuTRco7faI--